chore(deps): update ghcr.io/dexidp/dex docker tag to v2.42.0 (#3172)

* chore(deps): update ghcr.io/dexidp/dex docker tag to v2.42.0

Signed-off-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com>

* bump the chart

Signed-off-by: Tim Collins <tim@thecollins.team>

* helm docs

Signed-off-by: Tim Collins <tim@thecollins.team>

---------

Signed-off-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com>
Signed-off-by: Tim Collins <tim@thecollins.team>
Co-authored-by: argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com>
Co-authored-by: Tim Collins <tim@thecollins.team>

.github/configs/renovate-config.js

@@ -0,0 +1,8 @@
+module.exports = {
+    platform: 'github',
+    // This ensures that the gitAuthor and gitSignOff fields match
+    gitAuthor: 'argoproj-renovate[bot] <161757507+argoproj-renovate[bot]@users.noreply.github.com>',
+    autodiscover: false,
+    allowPostUpgradeCommandTemplating: true,
+    allowedPostUpgradeCommands: [".*"],
+  };

.github/dependabot.yml

@@ -6,3 +6,11 @@ updates:
     schedule:
       interval: weekly
       day: "saturday"
+    commit-message:
+      prefix: "chore(deps)"
+    groups:
+      dependencies:
+        applies-to: version-updates
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/chart-version-bump.yml

@@ -1,57 +0,0 @@
-## Used on Renovate PRs to bump the chart version and add a changelog entry
-## Reference: https://github.com/stefanzweifel/git-auto-commit-action
-## Reference: https://github.com/marketplace/actions/changed-files
-name: 'Chart Version Bump and Changelog'
-
-on:
-  pull_request:
-    types:
-      - labeled
-
-permissions:
-  contents: write
-
-jobs:
-  helm-bumper:
-    if: ${{ (contains(github.event.pull_request.labels.*.name, 'renovate')) }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          token: ${{ secrets.PAT }}
-          fetch-depth: 0
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # v41.0.1
-        with:
-          files: charts/{argo-workflows,argo-cd,argo-events,argo-rollouts,argocd-image-updater}/Chart.yaml
-
-      - name: "Bump Version and Changelog"
-        run: |
-          chartName="$(echo \"${{ steps.changed-files.outputs.all_changed_files }}\" | cut -d '/' -f2)"
-          echo "Changed chart name is: $chartName"
-          echo "----------------------------------------"
-
-          parentDir="charts/${chartName}"
-
-          # Bump the chart version by one patch version
-          version=$(grep '^version:' ${parentDir}/Chart.yaml | awk '{print $2}')
-          major=$(echo $version | cut -d. -f1)
-          minor=$(echo $version | cut -d. -f2)
-          patch=$(echo $version | cut -d. -f3)
-          patch=$(expr $patch + 1)
-          sed -i "s/^version:.*/version: ${major}.${minor}.${patch}/g" ${parentDir}/Chart.yaml
-
-          # Add a changelog entry
-          appVersion=$(grep '^appVersion:' ${parentDir}/Chart.yaml | awk '{print $2}')
-          sed -i -e '/^  artifacthub.io\/changes: |/,$d' ${parentDir}/Chart.yaml
-          echo "  artifacthub.io/changes: |" >> ${parentDir}/Chart.yaml
-          echo "    - kind: changed" >> ${parentDir}/Chart.yaml
-          echo "      description: Bump ${chartName} to ${appVersion}" >> ${parentDir}/Chart.yaml
-          cat ${parentDir}/Chart.yaml
-
-      - name: "Commit and push changes"
-        uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5.0.0
-        with:
-          commit_options: '--signoff'

.github/workflows/lint-and-test.yml

@@ -13,7 +13,7 @@ jobs:
       options: --user 1001
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run ah lint
         working-directory: ./charts
         run: ah lint
@@ -22,26 +22,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
           version: v3.10.1 # Also update in publish.yaml
 
       - name: Set up python
-        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
         with:
           python-version: 3.9
 
       - name: Setup Chart Linting
         id: lint
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
           # Note: Also update in scripts/lint.sh
-          version: v3.10.0
+          version: v3.11.0
 
       - name: List changed charts
         id: list-changed
@@ -70,11 +70,10 @@ jobs:
           fi
 
       - name: Create kind cluster
-        uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
+        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
         if: steps.list-changed.outputs.changed == 'true'
         with:
           config: .github/configs/kind-config.yaml
-
       - name: Deploy latest ArgoCD CRDs when testing ArgoCD extensions
         if: |
           contains(steps.list-changed.outputs.changed_charts, 'argocd-image-updater') ||

.github/workflows/pr-sizing.yml

@@ -25,6 +25,6 @@ jobs:
   size-label:
     runs-on: ubuntu-latest
     steps:
-      - uses: pascalgn/size-label-action@37a5ad4ae20ea8032abf169d953bcd661fd82cd3 # v0.5.0
+      - uses: pascalgn/size-label-action@f8edde36b3be04b4f65dcfead05dc8691b374348 # v0.5.5
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/pr-title.yml

@@ -19,7 +19,7 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/publish.yml

@@ -12,18 +12,19 @@ permissions:
 
 jobs:
   publish:
+    if: github.repository == 'argoproj/argo-helm'
     permissions:
       contents: write  # for helm/chart-releaser-action to push chart release and create a release
       packages: write  # to push OCI chart package to GitHub Registry
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Install Helm
-        uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
         with:
           version: v3.10.1 # Also update in lint-and-test.yaml
 
@@ -58,14 +59,14 @@ jobs:
           PGP_PASSPHRASE: "${{ secrets.PGP_PASSPHRASE }}"
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
+        uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0
         with:
           config: "./.github/configs/cr.yaml"
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
       - name: Login to GHCR
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

.github/workflows/renovate.yaml

@@ -0,0 +1,38 @@
+name: Renovate
+on:
+  # The "*" (#42, asterisk) character has special semantics in YAML, so this
+  # string has to be quoted.
+  schedule:
+    - cron: '0 * * * *'
+  # Manual trigger is also possible
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    if: github.repository == 'argoproj/argo-helm'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get token
+        uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
+        id: get_token
+        with:
+          app-id: ${{ vars.RENOVATE_APP_ID }}
+          private-key: ${{ secrets.RENOVATE_APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@e084b5ac6fd201023db6dd7743aec023babb02c8 # v41.0.13
+        with:
+          configurationFile: .github/configs/renovate-config.js
+          # renovate: datasource=docker depName=ghcr.io/renovatebot/renovate
+          renovate-version: 39.153.2
+          token: '${{ steps.get_token.outputs.token }}'
+          mount-docker-socket: true
+        env:
+          LOG_LEVEL: 'debug'
+          RENOVATE_REPOSITORIES: '${{ github.repository }}'

.github/workflows/scorecard.yml

@@ -33,12 +33,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -60,7 +60,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: SARIF file
           path: results.sarif
@@ -68,6 +68,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: results.sarif

.github/workflows/stale.yml

@@ -14,7 +14,7 @@ jobs:
       pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
+    - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Number of days of inactivity before an issue becomes stale

CONTRIBUTING.md

@@ -124,7 +124,7 @@ helm install charts/argo-workflows -n argo
 argo version
 ```
 
-Follow [these](https://argoproj.github.io/argo-workflows/quick-start/#submitting-an-example-workflow) instructions for running a hello world workflow.
+Follow [these](https://argo-workflows.readthedocs.io/en/stable/quick-start/#submitting-an-example-workflow) instructions for running a hello world workflow.
 
 ### Testing Argo CD Changes
 

README.md

@@ -42,3 +42,63 @@ Please refer to [SECURITY.md](SECURITY.md) for details on how to report security
 ### Changelog
 
 Releases are managed independently for each helm chart, and changelogs are tracked on each release. Read more about this process [here](https://github.com/argoproj/argo-helm/blob/main/CONTRIBUTING.md#changelog).
+
+## Charts use Helm "Capabilities"
+
+Our charts make use of the Helm built-in object "Capabilities":
+> This provides information about what capabilities the Kubernetes cluster supports.  
+> *Source: https://helm.sh/docs/chart_template_guide/builtin_objects/*
+
+Today we use:
+
+- `.Capabilities.APIVersions.Has` mostly to determine whether the CRDs for ServiceMonitors (from prometheus-operator) exists inside the cluster
+- `.Capabilities.KubeVersion.Version` to handle correct apiVersion of a specific resource kind (eg. "policy/v1" vs. "policy/v1beta1")
+
+If you use the charts only to template the manifests, without installing (`helm install ..`), you need to make sure that Helm (or the Helm SDK) receives the available APIs from your Kubernetes cluster.
+
+For this you need to pass the `--api-versions` parameter to the `helm template` command:
+
+```bash
+helm template argocd \
+  oci://ghcr.io/argoproj/argo-helm/argo-cd \
+  --api-versions monitoring.coreos.com/v1 \
+  --values my-argocd-values.yaml
+```
+
+If you use other tools like [Kustomize](https://kubectl.docs.kubernetes.io/references/kustomize/builtins/) or [helmfile](https://helmfile.readthedocs.io/en/latest/#configuration) to render it, there are equivalent options.
+
+Example with Kustomize:
+
+```yaml
+# kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+helmCharts:
+- name: argo-cd
+  repo: oci://ghcr.io/argoproj/argo-helm
+  version: x.y.z
+  releaseName: argocd
+  apiVersions:
+  - monitoring.coreos.com/v1
+  valuesFile: my-argocd-values.yaml
+```
+
+Example with helmfile:
+
+```yaml
+# helmfile.yaml
+repositories:
+  - name: argo
+    url: https://argoproj.github.io/argo-helm
+
+apiVersions:
+  - monitoring.coreos.com/v1
+
+releases:
+  - name: argocd
+    namespace: argocd
+    chart: argo/argo-cd
+    values:
+      - my-argocd-values.yaml
+```

SECURITY.md

@@ -6,7 +6,7 @@ Each helm chart currently supports the designated application version in the Cha
 
 * [Security Policy for Argo Workflows](https://github.com/argoproj/argo-workflows/blob/master/SECURITY.md)
 * [Security Policy for Argo Events](https://github.com/argoproj/argo-events/blob/master/SECURITY.md)
-* [Security Policy for Argo Rollouts](https://github.com/argoproj/argo-rollouts/blob/master/docs/security.md)
+* [Security Policy for Argo Rollouts](https://github.com/argoproj/argo-rollouts/blob/master/docs/security/security.md)
 * [Security Policy for Argo CD](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md)
 * [Security Policy for Argo CD Image Updater](https://github.com/argoproj-labs/argocd-image-updater/blob/master/SECURITY.md)
 

charts/argo-cd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: redis-ha
   repository: https://dandydeveloper.github.io/charts/
-  version: 4.23.0
+  version: 4.29.4
-digest: sha256:589f9972fbdf36194d443c9d3be2a1747f43e03c435fc48004cc0cbe6b3c6e3c
+digest: sha256:1257baf1c5e0db036af659d44095223e28ac0c9ec1ed8300a02d5def2281c9c7
-generated: "2023-05-15T19:25:26.049618+09:00"
+generated: "2024-11-13T09:07:36.494128+09:00"

charts/argo-cd/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: v2.9.3
+appVersion: v2.14.2
-kubeVersion: ">=1.23.0-0"
+kubeVersion: ">=1.25.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 5.52.0
+version: 7.8.3
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@@ -18,7 +18,7 @@ maintainers:
     url: https://argoproj.github.io/
 dependencies:
   - name: redis-ha
-    version: 4.23.0
+    version: 4.29.4
     repository: https://dandydeveloper.github.io/charts/
     condition: redis-ha.enabled
 annotations:
@@ -27,4 +27,4 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: changed
-      description: Use new Argo CD extension mechanism
+      description: Bump dex version to v2.42.0

charts/argo-cd/README.md.gotmpl

@@ -63,7 +63,181 @@ applicationSet:
   replicas: 2
 ```
 
-### Synchronizing Changes from Original Repository
+## Ingress configuration
+
+Please refer to the [Operator Manual](https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#ingress-configurationh) for details as the samples
+below corespond to their respective sections.
+
+### SSL-Passthrough
+
+The `tls: true` option will expect that the `argocd-server-tls` secret exists as Argo CD server loads TLS certificates from this place.
+
+```yaml
+global:
+  domain: argocd.example.com
+
+certificate:
+  enabled: true
+
+server:
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    tls: true
+```
+
+### SSL Termination at Ingress Controller
+
+```yaml
+global:
+  domain: argocd.example.com
+
+configs:
+  params:
+    server.insecure: true
+
+server:
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    extraTls:
+      - hosts:
+        - argocd.example.com
+        # Based on the ingress controller used secret might be optional
+        secretName: wildcard-tls
+```
+
+> **Note:**
+> If you don't plan on using a wildcard certificate it's also possible to use `tls: true` without `extraTls` section.
+
+### Multiple ingress resources for gRPC protocol support
+
+Use `ingressGrpc` section if your ingress controller supports only a single protocol per Ingress resource (i.e.: Contour).
+
+```yaml
+global:
+  domain: argocd.example.com
+
+configs:
+  params:
+    server.insecure: true
+
+server:
+  ingress:
+    enabled: true
+    ingressClassName: contour-internal
+    extraTls:
+      - hosts:
+        - argocd.example.com
+        secretName: wildcard-tls
+
+   ingressGrpc:
+     enabled: true
+     ingressClassName: contour-internal
+     extraTls:
+      - hosts:
+        - grpc.argocd.example.com
+        secretName: wildcard-tls
+```
+
+### Multiple ingress domains
+
+```yaml
+global:
+  domain: argocd.example.com
+
+server:
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: "<my-issuer>"
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    tls: true
+    extraHosts:
+      - name: argocd-alias.example.com
+        path: /
+```
+
+### AWS Application Load Balancer
+
+Refer to the Operator Manual for [AWS Application Load Balancer mode](https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#aws-application-load-balancers-albs-and-classic-elb-http-mode).
+The provided example assumes you are using TLS off-loading via AWS ACM service.
+
+> **Note:**
+> Using `controller: aws` creates additional service for gRPC traffic and it's no longer need to use `ingressGrpc` configuration section.
+
+```yaml
+global:
+  domain: argocd.example.com
+
+configs:
+  params:
+    server.insecure: true
+
+server:
+  ingress:
+    enabled: true
+    controller: aws
+    ingressClassName: alb
+    annotations:
+      alb.ingress.kubernetes.io/scheme: internal
+      alb.ingress.kubernetes.io/target-type: ip
+      alb.ingress.kubernetes.io/backend-protocol: HTTP
+      alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80}, {"HTTPS":443}]'
+      alb.ingress.kubernetes.io/ssl-redirect: '443'
+    aws:
+      serviceType: ClusterIP # <- Used with target-type: ip
+      backendProtocolVersion: GRPC
+```
+
+### GKE Application Load Balancer
+
+The implementation will populate `ingressClassName`, `networking.gke.io/managed-certificates` and `networking.gke.io/v1beta1.FrontendConfig` annotations
+automatically if you provide configuration for GKE resources.
+
+```yaml
+global:
+  domain: argocd.example.com
+
+configs:
+  params:
+    server.insecure: true
+
+server:
+  service:
+    annotations:
+      cloud.google.com/neg: '{"ingress": true}'
+      cloud.google.com/backend-config: '{"ports": {"http":"argocd-server"}}'
+
+  ingress:
+    enabled: true
+    controller: gke
+    gke:
+      backendConfig:
+        healthCheck:
+          checkIntervalSec: 30
+          timeoutSec: 5
+          healthyThreshold: 1
+          unhealthyThreshold: 2
+          type: HTTP
+          requestPath: /healthz
+          port: 8080
+      frontendConfig:
+        redirectToHttps:
+          enabled: true  
+      managedCertificate:
+        enabled: true
+```
+
+
+## Synchronizing Changes from Original Repository
 
 In the original [Argo CD repository](https://github.com/argoproj/argo-cd/) an [`manifests/install.yaml`](https://github.com/argoproj/argo-cd/blob/master/manifests/install.yaml) is generated using `kustomize`. It's the basis for the installation as [described in the docs](https://argo-cd.readthedocs.io/en/stable/getting_started/#1-install-argo-cd).
 
@@ -104,11 +278,112 @@ For full list of changes please check ArtifactHub [changelog].
 
 Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
 
+### 7.0.0
+
+We changed the type of `.Values.configs.clusterCredentials` from `list` to `object`.
+If you used the value, please migrate like below.
+
+```yaml
+# before
+configs:
+  clusterCredentials:
+    - mycluster:
+      server: https://mycluster.example.com
+      labels: {}
+      annotations: {}
+      # ...
+
+# after
+configs:
+  clusterCredentials:
+    mycluster:
+      server: https://mycluster.example.com
+      labels: {}
+      annotations: {}
+      # ...
+```
+
+### 6.10.0
+
+This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.
+
+#### How to rotate Redis secret?
+
+Upstream steps in the [FAQ] are not enough, since we chose a different approach.
+(We use a Kubernetes Job with [Chart Hooks] to create the auth secret `argocd-redis`.)
+
+Steps to rotate the secret when using the helm chart (bold step is additional to upstream):
+* Delete `argocd-redis` secret in the namespace where Argo CD is installed. 
+  ```bash
+  kubectl delete secret argocd-redis -n <argocd namespace>
+  ```
+* **Perform a helm upgrade**
+  ```bash
+  helm upgrade argocd argo/argo-cd --reuse-values --wait
+  ```
+* If you are running Redis in HA mode, restart Redis in HA.
+  ```bash
+  kubectl rollout restart deployment argocd-redis-ha-haproxy
+  kubectl rollout restart statefulset argocd-redis-ha-server
+  ```
+* If you are running Redis in non-HA mode, restart Redis.
+  ```bash
+  kubectl rollout restart deployment argocd-redis
+  ```
+* Restart other components.
+  ```bash
+  kubectl rollout restart deployment argocd-server argocd-repo-server
+  kubectl rollout restart statefulset argocd-application-controller
+  ```
+
+### 6.9.0
+ApplicationSet controller is always created to follow [upstream's manifest](https://github.com/argoproj/argo-cd/blob/v2.11.0/manifests/core-install/kustomization.yaml#L9).  
+
+### 6.4.0
+
+Added support for application controller dynamic cluster distribution.
+Please refer to [the docs](https://argo-cd.readthedocs.io/en/stable/operator-manual/dynamic-cluster-distribution) for more information.
+
+Added env variables to handle the non-standard names generated by the helm chart.
+Here are the [docs](https://argo-cd.readthedocs.io/en/release-2.9/user-guide/environment-variables/)
+and [code](https://github.com/argoproj/argo-cd/blob/99723143b96ceec9ef5b0a7feb7b4f4b0dce3497/common/common.go#L252)
+
+### 6.1.0
+
+Added support for global domain used by all components.
+
+### 6.0.0
+
+This version **removes support for**:
+
+* deprecated component options `logLevel` and `logFormat`
+* deprecated component arguments `<components>.args.<feature>` that were replaced with `configs.params`
+* deprecated configuration `server.config` that was replaced with `configs.cm`
+* deprecated configuration `server.rbacConfig` that was replaced with `configs.rbac`
+
+Major version also contains breaking **changes related to Argo CD Ingress** resources that were hard to extend and maintain for various ingress controller implementations.
+Please review your setup and adjust to new configuration options:
+
+* catch all rule was removed for security reasons. If you need this please use `server.ingress.extraRules` to provide ingress rule without hostname
+* ingress rule for `paths` changed to `path` as there is only single Argo CD backend path
+* ingress rule for `hosts` changed to `hostname` as there can be only single SSO redirect for given hostname
+* ingress TLS for server uses by default `argocd-server-tls` secret required by Argo CD server, additional ingresses are using `<hostname>-tls` secret when `tls: true`
+* additional hostnames and routing can be provided via `extraHosts` configuration section
+* additional TLS secrets can be provided via `extraTls` configuration section
+
+Please refer to [ingress configuration](#ingress-configuration) for examples.
+
+### 5.53.0
+
+Argocd-repo-server can now optionally use Persistent Volumes for its mountpoints instead of only emptydir()
+
 ### 5.52.0
+
 Because [Argo CD Extensions] is now deprecated and no further changes will be made, we switched to [Argo CD Extension Installer], adding an Argo CD Extension Installer to init-container in the Argo CD API server.
 If you used old mechanism, please move to new mechanism. For more details, please refer `.Values.server.extensions` in values.yaml.
 
 ### 5.35.0
+
 This version supports Kubernetes version `>=1.23.0-0`. The current supported version of Kubernetes is v1.24 or later and we align with the Amazon EKS calendar, because many AWS users follow a conservative approach.
 
 Please see more information about EoL: [Amazon EKS EoL][EKS EoL].
@@ -397,7 +672,7 @@ NAME: my-release
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 {{- range .Values }}
-  {{- if not (or  (hasPrefix "global" .Key) (hasPrefix "configs" .Key) (hasPrefix "controller" .Key) (hasPrefix "repoServer" .Key) (hasPrefix "server" .Key) (hasPrefix "applicationSet" .Key) (hasPrefix "notifications" .Key) (hasPrefix "dex" .Key) (hasPrefix "redis" .Key) (hasPrefix "externalRedis" .Key) ) }}
+  {{- if not (or  (hasPrefix "global" .Key) (hasPrefix "configs" .Key) (hasPrefix "controller" .Key) (hasPrefix "repoServer" .Key) (hasPrefix "server" .Key) (hasPrefix "applicationSet" .Key) (hasPrefix "notifications" .Key) (hasPrefix "dex" .Key) (hasPrefix "redis" .Key) (hasPrefix "externalRedis" .Key) (hasPrefix "commitServer" .Key) ) }}
 | {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
   {{- end }}
 {{- end }}
@@ -452,28 +727,6 @@ NAME: my-release
   {{- end }}
 {{- end }}
 
-### Using AWS ALB Ingress Controller With GRPC
-
-If you are using an AWS ALB Ingress controller, you will need to set `server.ingressGrpc.isAWSALB` to `true`. This will create a second service with the annotation `alb.ingress.kubernetes.io/backend-protocol-version: HTTP2` and modify the server ingress to add a condition annotation to route GRPC traffic to the new service.
-
-Example:
-
-```yaml
-server:
-  ingress:
-    enabled: true
-    annotations:
-      alb.ingress.kubernetes.io/backend-protocol: HTTPS
-      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
-      alb.ingress.kubernetes.io/scheme: internal
-      alb.ingress.kubernetes.io/target-type: ip
-  ingressGrpc:
-    enabled: true
-    isAWSALB: true
-    awsALB:
-      serviceType: ClusterIP
-```
-
 ## Dex
 
 | Key | Type | Default | Description |
@@ -527,6 +780,19 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
   {{- end }}
 {{- end }}
 
+### Redis secret-init
+
+The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
+If you use an External Redis (See Option 3 above), this Job is not deployed.
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if hasPrefix "redisSecretInit" .Key }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
 ## ApplicationSet
 
 | Key | Type | Default | Description |
@@ -547,28 +813,44 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
   {{- end }}
 {{- end }}
 
+## Commit server (Manifest Hydrator)
+
+The Argo CD Commit Server provides push access to git repositories for hydrated manifests.
+
+To read more about this component, please read [Argo CD Manifest Hydrator] and [Manifest Hydrator].
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+{{- range .Values }}
+  {{- if hasPrefix "commitServer" .Key }}
+| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} |
+  {{- end }}
+{{- end }}
+
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)
 
 [Argo CD RBAC policy]: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
-[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+[affinity]: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
-[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
+[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#backendconfigspec_v1beta1_cloudgooglecom
 [CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/
 [changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog
+[Chart Hooks]: https://helm.sh/docs/topics/charts_hooks/
 [DNS configuration]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
 [external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters
-[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
+[FAQ]: https://argo-cd.readthedocs.io/en/stable/faq/
+[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters
 [declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
 [gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/
 [GnuPG]: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/
 [HPA]: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
 [MetricRelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs
-[Node selector]: https://kubernetes.io/docs/user-guide/node-selection/
+[Node selector]: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector
 [PodDisruptionBudget]: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/#pod-disruption-budgets
 [probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
 [RelabelConfigs]: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
-[Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+[Tolerations]: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
-[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
 [values.yaml]: values.yaml
 [v2.2 to 2.3 upgrade instructions]: https://github.com/argoproj/argo-cd/blob/v2.3.0/docs/operator-manual/upgrading/2.2-2.3.md
 [tini]: https://github.com/argoproj/argo-cd/pull/12707
@@ -577,3 +859,5 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
 [Applications in any namespace]: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/#applications-in-any-namespace
 [Argo CD Extensions]: https://github.com/argoproj-labs/argocd-extensions?tab=readme-ov-file#deprecation-notice
 [Argo CD Extension Installer]: https://github.com/argoproj-labs/argocd-extension-installer
+[Argo CD Manifest Hydrator]: https://argo-cd.readthedocs.io/en/stable/proposals/manifest-hydrator/
+[Manifest Hydrator]: https://github.com/argoproj/argo-cd/blob/master/docs/proposals/manifest-hydrator.md

charts/argo-cd/ci/dynamic-sharding-values.yaml

@@ -0,0 +1,6 @@
+# Test application controller dynamic cluster distribution
+crds:
+  keep: false
+
+controller:
+  dynamicClusterDistribution: true

charts/argo-cd/ci/with-commit-server-values.yaml

@@ -0,0 +1,3 @@
+# Test Argo CD with optional component "commit-server"
+commitServer:
+  enabled: true

charts/argo-cd/templates/NOTES.txt

@@ -1,136 +1,6 @@
-{{- if .Values.controller.args.statusProcessors }}
-DEPRECATED option controller.args.statusProcessors - Use configs.params.controller.status.processors
-{{- end }}
-{{- if .Values.controller.args.operationProcessors }}
-DEPRECATED option controller.args.operationProcessors - Use configs.params.controller.operation.processors
-{{- end }}
-{{- if .Values.controller.args.appResyncPeriod }}
-DEPRECATED option controller.args.appResyncPeriod - Use server.config.timeout.reconciliation
-{{- end }}
-{{- if .Values.controller.args.appHardResyncPeriod }}
-DEPRECATED option controller.args.appHardResyncPeriod - Use server.config.timeout.hard.reconciliation
-{{- end }}
-{{- if .Values.controller.args.selfHealTimeout }}
-DEPRECATED option controller.args.selfHealTimeout -  Use configs.params.controller.self.heal.timeout.seconds
-{{- end }}
-{{- if .Values.controller.args.repoServerTimeoutSeconds }}
-DEPRECATED option controller.args.repoServerTimeoutSeconds - Use configs.params.controller.repo.server.timeout.seconds
-{{- end }}
-{{- if .Values.controller.logFormat }}
-DEPRECATED option controller.logFormat - Use configs.params.controller.log.format
-{{- end }}
-{{- if .Values.controller.logLevel }}
-DEPRECATED option controller.logLevel - Use configs.params.controller.log.level
-{{- end }}
-{{- if .Values.server.logFormat }}
-DEPRECATED option server.logFormat - Use configs.params.server.log.format
-{{- end }}
-{{- if .Values.server.logLevel }}
-DEPRECATED option server.logLevel - Use configs.params.server.log.level
-{{- end }}
-{{- if has "--insecure" .Values.server.extraArgs }}
-DEPRECATED option server.extraArgs."--insecure" - Use configs.params.server.insecure
-{{- end }}
-{{- if .Values.repoServer.logFormat }}
-DEPRECATED option repoServer.logFormat - Use configs.params.repoServer.log.format
-{{- end }}
-{{- if .Values.repoServer.logLevel }}
-DEPRECATED option repoServer.logLevel - Use configs.params.repoServer.log.level
-{{- end }}
-{{- if or .Values.server.config (hasKey .Values.server "configEnabled") .Values.server.configAnnotations }}
-DEPRECATED option server.config - Use configs.cm
-{{- end }}
-{{- if or .Values.server.rbacConfig (hasKey .Values.server "rbacConfigCreate") .Values.server.rbacConfigAnnotations }}
-DEPRECATED option server.rbacConfig - Use configs.rbac
-{{- end }}
-{{- if .Values.configs.secret.argocdServerTlsConfig }}
-DEPRECATED option config.secret.argocdServerTlsConfig - Use server.certificate or server.certificateSecret
-{{- end }}
-{{- if .Values.configs.gpgKeys }}
-DEPRECATED option configs.gpgKeys - Use config.gpg.keys
-{{- end }}
-{{- if .Values.configs.gpgKeysAnnotations }}
-DEPRECATED option configs.gpgKeysAnnotations - Use config.gpg.annotations
-{{- end }}
-{{- if hasKey (.Values.controller.clusterAdminAccess | default dict) "enabled" }}
-DEPRECATED option .controller.clusterAdminAccess.enabled - Use createClusterRoles
-{{- end }}
-{{- if hasKey (.Values.server.clusterAdminAccess | default dict) "enabled" }}
-DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
-{{- end }}
-{{- if hasKey (.Values.repoServer.clusterAdminAccess | default dict) "enabled" }}
-DEPRECATED option .server.clusterAdminAccess.enabled - Use createClusterRoles
-{{- end }}
-{{- if .Values.configs.knownHostsAnnotations }}
-DEPRECATED option configs.knownHostsAnnotations - Use configs.ssh.annotations
-{{- end }}
-{{- if hasKey .Values.configs "knownHosts" }}
-DEPRECATED option configs.knownHosts.data.ssh_known_hosts - Use configs.ssh.knownHosts
-{{- end }}
-{{- if .Values.configs.tlsCertsAnnotations }}
-DEPRECATED option configs.tlsCertsAnnotations - Use configs.tls.annotations
-{{- end }}
-{{- if hasKey .Values.configs "tlsCerts" }}
-DEPRECATED option configs.tlsCerts.data - Use configs.tls.certificates
-{{- end }}
-{{- if .Values.applicationSet.replicaCount }}
-DEPRECATED option applicationSet.replicaCount - Use applicationSet.replicas
-{{- end }}
-{{- if .Values.applicationSet.logFormat }}
-DEPRECATED option applicationSet.logFormat - Use configs.params.applicationsetcontroller.log.format
-{{- end }}
-{{- if .Values.applicationSet.logLevel }}
-DEPRECATED option applicationSet.logLevel - Use configs.params.applicationsetcontroller.log.level
-{{- end }}
-{{- if .Values.applicationSet.args.policy }}
-DEPRECATED option applicationSet.args.policy - Use configs.params.applicationsetcontroller.policy
-{{- end }}
-{{- if .Values.applicationSet.args.dryRun }}
-DEPRECATED option applicationSet.args.dryRun - Use configs.params.applicationsetcontroller.dryRun
-{{- end }}
-{{- if .Values.controller.service }}
-REMOVED option controller.service - Use controller.metrics
-{{- end }}
-{{- if .Values.repoServer.copyutil }}
-REMOVED option repoSever.copyutil.resources - Use repoServer.resources
-{{- end }}
-{{- if .Values.applicationSet.args.debug }}
-REMOVED option applicationSet.args.debug - Use applicationSet.logLevel: debug
-{{- end }}
-{{- if .Values.applicationSet.args.enableLeaderElection }}
-REMOVED option applicationSet.args.enableLeaderElection - Value determined based on replicas
-{{- end }}
-{{- if .Values.controller.containerPort }}
-REMOVED option controller.containerPort - Use controller.containerPorts
-{{- end }}
-{{- if .Values.server.containerPort }}
-REMOVED option server.containerPort - Use server.containerPorts
-{{- end }}
-{{- if .Values.repoServer.containerPort }}
-REMOVED option repoServer.containerPort - Use repoServer.containerPorts
-{{- end }}
-{{- if .Values.applicationSet.args.metricsAddr }}
-REMOVED option applicationSet.args.metricsAddr - Use applicationSet.containerPorts
-{{- end }}
-{{- if .Values.applicationSet.args.probeBindAddr }}
-REMOVED option applicationSet.args.probeBindAddr - Use applicationSet.containerPorts
-{{- end }}
-{{- if .Values.redis.containerPort }}
-REMOVED option redis.containerPort - Use redis.containerPorts
-{{- end }}
-{{- if .Values.redis.metrics.containerPort }}
-REMOVED option redis.metrics.containerPort - Use redis.containerPorts
-{{- end }}
-{{- if .Values.apiVersionOverrides.autoscaling }}
-REMOVED option apiVersionOverrides.autoscaling - API autoscaling/v2 is GA from 1.23
-{{- end }}
-{{- if .Values.apiVersionOverrides.certmanager }}
-REMOVED option apiVersionOverrides.certmanager - API v1 is only possible option after K8s 1.22
-{{- end }}
-
 In order to access the server UI you have the following options:
 
-1. kubectl port-forward service/{{ include "argo-cd.fullname" . }}-server -n {{ .Release.Namespace }} 8080:443
+1. kubectl port-forward service/{{ include "argo-cd.fullname" . }}-server -n {{ include  "argo-cd.namespace" . }} 8080:443
 
     and then open the browser on http://localhost:8080 and accept the certificate
 
@@ -139,10 +9,10 @@ In order to access the server UI you have the following options:
       - Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
 
 
-{{ if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "admin.enabled")) "true" -}}
+{{ if eq (toString (index .Values.configs.cm "admin.enabled")) "true" -}}
 After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
 
-kubectl -n {{ .Release.Namespace }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
+kubectl -n {{ include  "argo-cd.namespace" . }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
 
 (You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli)
 {{ else if or (index .Values.configs.cm "dex.config") (index .Values.configs.cm "oidc.config") -}}

charts/argo-cd/templates/_helpers.tpl

@@ -11,7 +11,7 @@ to 63 chars and it includes 10 chars of hash and a separating '-'.
 {{/*
 Create the name of the controller service account to use
 */}}
-{{- define "argo-cd.controllerServiceAccountName" -}}
+{{- define "argo-cd.controller.serviceAccountName" -}}
 {{- if .Values.controller.serviceAccount.create -}}
     {{ default (include "argo-cd.controller.fullname" .) .Values.controller.serviceAccount.name }}
 {{- else -}}
@@ -40,7 +40,7 @@ Create Dex server endpoint
 {{/*
 Create the name of the dex service account to use
 */}}
-{{- define "argo-cd.dexServiceAccountName" -}}
+{{- define "argo-cd.dex.serviceAccountName" -}}
 {{- if .Values.dex.serviceAccount.create -}}
     {{ default (include "argo-cd.dex.fullname" .) .Values.dex.serviceAccount.name }}
 {{- else -}}
@@ -78,7 +78,7 @@ Return Redis server endpoint
 {{/*
 Create the name of the redis service account to use
 */}}
-{{- define "argo-cd.redisServiceAccountName" -}}
+{{- define "argo-cd.redis.serviceAccountName" -}}
 {{- if .Values.redis.serviceAccount.create -}}
     {{ default (include "argo-cd.redis.fullname" .) .Values.redis.serviceAccount.name }}
 {{- else -}}
@@ -86,6 +86,25 @@ Create the name of the redis service account to use
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+Create Redis secret-init name
+*/}}
+{{- define "argo-cd.redisSecretInit.fullname" -}}
+{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redisSecretInit.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the Redis secret-init service account to use
+*/}}
+{{- define "argo-cd.redisSecretInit.serviceAccountName" -}}
+{{- if .Values.redisSecretInit.serviceAccount.create -}}
+    {{ default (include "argo-cd.redisSecretInit.fullname" .) .Values.redisSecretInit.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.redisSecretInit.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create argocd server name and version as used by the chart label.
 */}}
@@ -96,7 +115,7 @@ Create argocd server name and version as used by the chart label.
 {{/*
 Create the name of the Argo CD server service account to use
 */}}
-{{- define "argo-cd.serverServiceAccountName" -}}
+{{- define "argo-cd.server.serviceAccountName" -}}
 {{- if .Values.server.serviceAccount.create -}}
     {{ default (include "argo-cd.server.fullname" .) .Values.server.serviceAccount.name }}
 {{- else -}}
@@ -114,7 +133,7 @@ Create argocd repo-server name and version as used by the chart label.
 {{/*
 Create the name of the repo-server service account to use
 */}}
-{{- define "argo-cd.repoServerServiceAccountName" -}}
+{{- define "argo-cd.repoServer.serviceAccountName" -}}
 {{- if .Values.repoServer.serviceAccount.create -}}
     {{ default (include "argo-cd.repoServer.fullname" .) .Values.repoServer.serviceAccount.name }}
 {{- else -}}
@@ -132,7 +151,7 @@ Create argocd application set name and version as used by the chart label.
 {{/*
 Create the name of the application set service account to use
 */}}
-{{- define "argo-cd.applicationSetServiceAccountName" -}}
+{{- define "argo-cd.applicationSet.serviceAccountName" -}}
 {{- if .Values.applicationSet.serviceAccount.create -}}
     {{ default (include "argo-cd.applicationSet.fullname" .) .Values.applicationSet.serviceAccount.name }}
 {{- else -}}
@@ -150,7 +169,7 @@ Create argocd notifications name and version as used by the chart label.
 {{/*
 Create the name of the notifications service account to use
 */}}
-{{- define "argo-cd.notificationsServiceAccountName" -}}
+{{- define "argo-cd.notifications.serviceAccountName" -}}
 {{- if .Values.notifications.serviceAccount.create -}}
     {{ default (include "argo-cd.notifications.fullname" .) .Values.notifications.serviceAccount.name }}
 {{- else -}}
@@ -159,10 +178,32 @@ Create the name of the notifications service account to use
 {{- end -}}
 
 {{/*
-Argo Configuration Preset Values (Incluenced by Values configuration)
+Create argocd commit-server name and version as used by the chart label.
+*/}}
+{{- define "argo-cd.commitServer.fullname" -}}
+{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.commitServer.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the commit-server service account to use
+*/}}
+{{- define "argo-cd.commitServer.serviceAccountName" -}}
+{{- if .Values.commitServer.serviceAccount.create -}}
+    {{ default (include "argo-cd.commitServer.fullname" .) .Values.commitServer.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.commitServer.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Argo Configuration Preset Values (Influenced by Values configuration)
 */}}
 {{- define "argo-cd.config.cm.presets" -}}
 {{- $presets := dict -}}
+{{- $_ := set $presets "url" (printf "https://%s" .Values.global.domain) -}}
+{{- if eq (toString (index .Values.configs.cm "statusbadge.enabled")) "true" -}}
+{{- $_ := set $presets "statusbadge.url" (printf "https://%s/" .Values.global.domain) -}}
+{{- end -}}
 {{- if .Values.configs.styles -}}
 {{- $_ := set $presets "ui.cssurl" "./custom/custom.styles.css" -}}
 {{- end -}}
@@ -173,7 +214,7 @@ Argo Configuration Preset Values (Incluenced by Values configuration)
 Merge Argo Configuration with Preset Configuration
 */}}
 {{- define "argo-cd.config.cm" -}}
-{{- $config := (mergeOverwrite (deepCopy (omit .Values.configs.cm "create" "annotations")) (.Values.server.config | default dict))  -}}
+{{- $config := omit .Values.configs.cm "create" "annotations" -}}
 {{- $preset := include "argo-cd.config.cm.presets" . | fromYaml | default dict -}}
 {{- range $key, $value := mergeOverwrite $preset $config }}
 {{- $fmted := $value | toString }}
@@ -192,6 +233,7 @@ NOTE: Configuration keys must be stored as dict because YAML treats dot as separ
 {{- $_ := set $presets "repo.server" (printf "%s:%s" (include "argo-cd.repoServer.fullname" .) (.Values.repoServer.service.port | toString)) -}}
 {{- $_ := set $presets "server.repo.server.strict.tls" (.Values.repoServer.certificateSecret.enabled | toString ) -}}
 {{- $_ := set $presets "redis.server" (include "argo-cd.redis.server" .) -}}
+{{- $_ := set $presets "applicationsetcontroller.enable.leader.election" (gt ((.Values.applicationSet.replicas | default .Values.applicationSet.replicaCount) | int64) 1) -}}
 {{- if .Values.dex.enabled -}}
 {{- $_ := set $presets "server.dex.server" (include "argo-cd.dex.server" .) -}}
 {{- $_ := set $presets "server.dex.server.strict.tls" .Values.dex.certificateSecret.enabled -}}
@@ -200,9 +242,6 @@ NOTE: Configuration keys must be stored as dict because YAML treats dot as separ
 {{- $_ := set $presets (printf "%s.log.format" $component) $.Values.global.logging.format -}}
 {{- $_ := set $presets (printf "%s.log.level" $component) $.Values.global.logging.level -}}
 {{- end -}}
-{{- if .Values.applicationSet.enabled -}}
-{{- $_ := set $presets "applicationsetcontroller.enable.leader.election" (gt ((.Values.applicationSet.replicas | default .Values.applicationSet.replicaCount) | int64) 1) -}}
-{{- end -}}
 {{- toYaml $presets }}
 {{- end -}}
 
@@ -216,3 +255,23 @@ Merge Argo Params Configuration with Preset Configuration
 {{ $key }}: {{ toString $value | toYaml }}
 {{- end }}
 {{- end -}}
+
+{{/*
+Expand the namespace of the release.
+Allows overriding it for multi-namespace deployments in combined charts.
+*/}}
+{{- define "argo-cd.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
+{{- end }}
+
+{{/*
+Dual stack definition
+*/}}
+{{- define "argo-cd.dualStack" -}}
+{{- with .Values.global.dualStack.ipFamilyPolicy }}
+ipFamilyPolicy: {{ . }}
+{{- end }}
+{{- with .Values.global.dualStack.ipFamilies }}
+ipFamilies: {{ toYaml . | nindent 4 }}
+{{- end }}
+{{- end }}

charts/argo-cd/templates/_versions.tpl

@@ -5,16 +5,3 @@ Return the target Kubernetes version
 {{- define "argo-cd.kubeVersion" -}}
 {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
 {{- end }}
-
-{{/*
-Return the appropriate apiVersion for GKE resources
-*/}}
-{{- define "argo-cd.apiVersions.cloudgoogle" -}}
-{{- if .Values.apiVersionOverrides.cloudgoogle -}}
-{{- print .Values.apiVersionOverrides.cloudgoogle -}}
-{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
-{{- print "cloud.google.com/v1" -}}
-{{- else -}}
-{{- print "cloud.google.com/v1beta1" -}}
-{{- end -}}
-{{- end -}}

charts/argo-cd/templates/aggregate-roles.yaml

@@ -11,9 +11,7 @@ rules:
   - argoproj.io
   resources:
   - applications
-  {{- if .Values.applicationSet.enabled }}
   - applicationsets
-  {{- end }}
   - appprojects
   verbs:
   - get
@@ -33,9 +31,7 @@ rules:
   - argoproj.io
   resources:
   - applications
-  {{- if .Values.applicationSet.enabled }}
   - applicationsets
-  {{- end }}
   - appprojects
   verbs:
   - create
@@ -60,9 +56,7 @@ rules:
   - argoproj.io
   resources:
   - applications
-  {{- if .Values.applicationSet.enabled }}
   - applicationsets
-  {{- end }}
   - appprojects
   verbs:
   - create

charts/argo-cd/templates/argocd-application-controller/clusterrole.yaml

@@ -1,5 +1,4 @@
-{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
-{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

charts/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml

@@ -1,5 +1,4 @@
-{{- $config := .Values.controller.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
-{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -12,6 +11,6 @@ roleRef:
   name: {{ include "argo-cd.controller.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "argo-cd.controllerServiceAccountName" . }}
+  name: {{ include "argo-cd.controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "argo-cd.namespace" . }}
 {{- end }}

charts/argo-cd/templates/argocd-application-controller/deployment.yaml

@@ -0,0 +1,440 @@
+{{- if .Values.controller.dynamicClusterDistribution }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.controller.deploymentAnnotations) }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  name: {{ template "argo-cd.controller.fullname" . }}
+  namespace: {{ include  "argo-cd.namespace" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
+spec:
+  replicas: {{ .Values.controller.replicas }}
+  revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
+  selector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
+        {{- if .Values.configs.cm.create }}
+        checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
+        {{- end }}
+        {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+        {{- end }}
+      labels:
+        {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
+        {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.controller.runtimeClassName | default .Values.global.runtimeClassName }}
+      runtimeClassName: {{ . }}
+      {{- end }}
+      {{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.priorityClassName | default .Values.global.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- if .Values.controller.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
+      {{- end }}
+      serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }}
+      containers:
+      - args:
+        - /usr/local/bin/argocd-application-controller
+        - --metrics-port={{ .Values.controller.containerPorts.metrics }}
+        {{- if .Values.controller.metrics.applicationLabels.enabled }}
+        {{- range .Values.controller.metrics.applicationLabels.labels }}
+        - --metrics-application-labels
+        - {{ . }}
+        {{- end }}
+        {{- end }}
+        {{- with .Values.controller.extraArgs }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }}
+        imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
+        name: {{ .Values.controller.name }}
+        env:
+          {{- with (concat .Values.global.env .Values.controller.env) }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          - name: ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION
+            value: "true"
+          - name: ARGOCD_CONTROLLER_HEARTBEAT_TIME
+            value: {{ .Values.controller.heartbeatTime | quote }}
+          - name: ARGOCD_APPLICATION_CONTROLLER_NAME
+            value: {{ template "argo-cd.controller.fullname" . }}
+          - name: ARGOCD_RECONCILIATION_TIMEOUT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cm
+                key: timeout.reconciliation
+                optional: true
+          - name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cm
+                key: timeout.hard.reconciliation
+                optional: true
+          - name: ARGOCD_RECONCILIATION_JITTER
+            valueFrom:
+              configMapKeyRef:
+                key: timeout.reconciliation.jitter
+                name: argocd-cm
+                optional: true
+          - name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.repo.error.grace.period.seconds
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: repo.server
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.repo.server.timeout.seconds
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.status.processors
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.operation.processors
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.log.format
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.log.level
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.metrics.cache.expiration
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.self.heal.timeout.seconds
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.self.heal.backoff.timeout.seconds
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.self.heal.backoff.factor
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.self.heal.backoff.cap.seconds
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.sync.timeout.seconds
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.repo.server.plaintext
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.repo.server.strict.tls
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.resource.health.persist
+                optional: true
+          - name: ARGOCD_APP_STATE_CACHE_EXPIRATION
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.app.state.cache.expiration
+                optional: true
+          - name: REDIS_SERVER
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: redis.server
+                optional: true
+          - name: REDIS_COMPRESSION
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: redis.compression
+                optional: true
+          - name: REDISDB
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: redis.db
+                optional: true
+          - name: REDIS_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
+                key: redis-username
+                optional: true
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
+                {{- if .Values.externalRedis.host }}
+                key: redis-password
+                {{- else }}
+                key: auth
+                {{- end }}
+                optional: true
+          - name: REDIS_SENTINEL_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                key: redis-sentinel-username
+                optional: true
+          - name: REDIS_SENTINEL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                key: redis-sentinel-password
+                optional: true
+          - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.default.cache.expiration
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.address
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.insecure
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.headers
+                optional: true
+          - name: ARGOCD_APPLICATION_NAMESPACES
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: application.namespaces
+                optional: true
+          - name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.sharding.algorithm
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.kubectl.parallelism.limit
+                optional: true
+          - name: ARGOCD_K8SCLIENT_RETRY_MAX
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.k8sclient.retry.max
+                optional: true
+          - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.k8sclient.retry.base.backoff
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.diff.server.side
+                optional: true
+          - name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.ignore.normalizer.jq.timeout
+                optional: true
+          - name: ARGOCD_HYDRATOR_ENABLED
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: hydrator.enabled
+                optional: true
+          - name: ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.cluster.cache.batch.events.processing
+                optional: true
+          - name: ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.cluster.cache.events.processing.interval
+                optional: true
+        {{- with .Values.controller.envFrom }}
+        envFrom:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        ports:
+        - name: metrics
+          containerPort: {{ .Values.controller.containerPorts.metrics }}
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: metrics
+          initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
+        resources:
+          {{- toYaml .Values.controller.resources | nindent 10 }}
+        {{- with .Values.controller.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        workingDir: /home/argocd
+        volumeMounts:
+        {{- with .Values.controller.volumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        - mountPath: /app/config/controller/tls
+          name: argocd-repo-server-tls
+        - mountPath: /home/argocd
+          name: argocd-home
+        - name: argocd-cmd-params-cm
+          mountPath: /home/argocd/params
+      {{- with .Values.controller.extraContainers }}
+        {{- tpl (toYaml .) $ | nindent 6 }}
+      {{- end }}
+      {{- with .Values.controller.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 6 }}
+      {{- end }}
+      {{- with include "argo-cd.affinity" (dict "context" . "component" .Values.controller) }}
+      affinity:
+        {{- trim . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.tolerations | default .Values.global.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controller.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- range $constraint := . }}
+      - {{ toYaml $constraint | nindent 8 | trim }}
+          {{- if not $constraint.labelSelector }}
+        labelSelector:
+          matchLabels:
+            {{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+      volumes:
+      {{- with .Values.controller.volumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      - name: argocd-home
+        {{- if .Values.controller.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.controller.emptyDir.sizeLimit }}
+        {{- else }}
+        emptyDir: {}
+        {{- end }}
+
+      - name: argocd-repo-server-tls
+        secret:
+          secretName: argocd-repo-server-tls
+          optional: true
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt
+      - name: argocd-cmd-params-cm
+        configMap:
+          optional: true
+          name: argocd-cmd-params-cm
+          items:
+          - key: controller.profile.enabled
+            path: profiler.enabled
+      {{- if .Values.controller.hostNetwork }}
+      hostNetwork: {{ .Values.controller.hostNetwork }}
+      {{- end }}
+      {{- with .Values.controller.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      dnsPolicy: {{ .Values.controller.dnsPolicy }}
+{{- end }}

charts/argo-cd/templates/argocd-application-controller/metrics.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "argo-cd.controller.fullname" . }}-metrics
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" "metrics") | nindent 4 }}
     {{- with .Values.controller.metrics.service.labels }}
@@ -24,6 +24,7 @@ spec:
   {{- if and .Values.controller.metrics.service.clusterIP (eq .Values.controller.metrics.service.type "ClusterIP") }}
   clusterIP: {{ .Values.controller.metrics.service.clusterIP }}
   {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.controller.metrics.service.portName }}
     protocol: TCP

charts/argo-cd/templates/argocd-application-controller/networkpolicy.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
   name: {{ template "argo-cd.controller.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
 spec:
   ingress:
   - from:

charts/argo-cd/templates/argocd-application-controller/pdb.yaml

@@ -3,7 +3,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "argo-cd.controller.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
     {{- with .Values.controller.pdb.labels }}

charts/argo-cd/templates/argocd-application-controller/prometheusrule.yaml

@@ -1,9 +1,9 @@
-{{- if and .Values.controller.metrics.enabled .Values.controller.metrics.rules.enabled }}
+{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.metrics.enabled .Values.controller.metrics.rules.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
   name: {{ template "argo-cd.controller.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.controller.metrics.rules.namespace | quote }}
+  namespace: {{ default (include  "argo-cd.namespace" .) .Values.controller.metrics.rules.namespace | quote }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
     {{- if .Values.controller.metrics.rules.selector }}

charts/argo-cd/templates/argocd-application-controller/role.yaml

@@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ template "argo-cd.controller.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 rules:
@@ -35,3 +35,25 @@ rules:
   verbs:
   - create
   - list
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+{{- if and (not .Values.createClusterRoles) .Values.controller.dynamicClusterDistribution }}
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - argocd-app-controller-shard-cm
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+{{- end }}

charts/argo-cd/templates/argocd-application-controller/rolebinding.yaml

@@ -1,15 +1,15 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "argo-cd.controller.fullname" . }}
+  name: {{ include "argo-cd.controller.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "argo-cd.controller.fullname" . }}
+  name: {{ include "argo-cd.controller.fullname" . }}
 subjects:
   - kind: ServiceAccount
-  name: {{ template "argo-cd.controllerServiceAccountName" . }}
+    name: {{ include "argo-cd.controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+    namespace: {{ include "argo-cd.namespace" . }}

charts/argo-cd/templates/argocd-application-controller/serviceaccount.yaml

@@ -3,17 +3,17 @@ apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}
 metadata:
-  name: {{ template "argo-cd.controllerServiceAccountName" . }}
+  name: {{ include "argo-cd.controller.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
-{{- if .Values.controller.serviceAccount.annotations }}
+  {{- with .Values.controller.serviceAccount.annotations }}
   annotations:
-  {{- range $key, $value := .Values.controller.serviceAccount.annotations }}
+    {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
-  {{- range $key, $value := .Values.controller.serviceAccount.labels }}
+    {{- with .Values.controller.serviceAccount.labels }}
-    {{ $key }}: {{ $value | quote }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

charts/argo-cd/templates/argocd-application-controller/servicemonitor.yaml

@@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "argo-cd.controller.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.controller.metrics.serviceMonitor.namespace | quote }}
+  namespace: {{ default (include  "argo-cd.namespace" .) .Values.controller.metrics.serviceMonitor.namespace | quote }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
     {{- with .Values.controller.metrics.serviceMonitor.selector }}
@@ -22,6 +22,9 @@ spec:
       {{- with .Values.controller.metrics.serviceMonitor.interval }}
       interval: {{ . }}
       {{- end }}
+      {{- with .Values.controller.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
       path: /metrics
       {{- with .Values.controller.metrics.serviceMonitor.relabelings }}
       relabelings:
@@ -31,6 +34,7 @@ spec:
       metricRelabelings:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      honorLabels: {{ .Values.controller.metrics.serviceMonitor.honorLabels }}
       {{- with .Values.controller.metrics.serviceMonitor.scheme }}
       scheme: {{ . }}
       {{- end }}
@@ -40,7 +44,7 @@ spec:
       {{- end }}
   namespaceSelector:
     matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "argo-cd.namespace" . }}
   selector:
     matchLabels:
       {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.controller.name "name" "metrics") | nindent 6 }}

charts/argo-cd/templates/argocd-application-controller/statefulset.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.controller.dynamicClusterDistribution | default false }}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -8,13 +9,12 @@ metadata:
     {{- end }}
   {{- end }}
   name: {{ template "argo-cd.controller.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
 spec:
   replicas: {{ .Values.controller.replicas }}
-  # TODO: Remove for breaking release as history limit cannot be patched
+  revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
-  revisionHistoryLimit: 5
   serviceName: {{ include "argo-cd.controller.fullname" . }}
   selector:
     matchLabels:
@@ -23,7 +23,7 @@ spec:
     metadata:
       annotations:
         checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
-        {{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
+        {{- if .Values.configs.cm.create }}
         checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
         {{- end }}
         {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }}
@@ -37,6 +37,9 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- with .Values.controller.runtimeClassName | default .Values.global.runtimeClassName }}
+      runtimeClassName: {{ . }}
+      {{- end }}
       {{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -55,7 +58,8 @@ spec:
       {{- if .Values.controller.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
       {{- end }}
-      serviceAccountName: {{ include "argo-cd.controllerServiceAccountName" . }}
+      serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }}
       containers:
       - args:
         - /usr/local/bin/argocd-application-controller
@@ -66,38 +70,6 @@ spec:
         - {{ . }}
         {{- end }}
         {{- end }}
-        {{- with .Values.controller.args.statusProcessors }}
-        - --status-processors
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.controller.args.operationProcessors }}
-        - --operation-processors
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.controller.args.appResyncPeriod }}
-        - --app-resync
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.controller.args.appHardResyncPeriod }}
-        - --app-hard-resync
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.controller.args.selfHealTimeout }}
-        - --self-heal-timeout-seconds
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.controller.args.repoServerTimeoutSeconds }}
-        - --repo-server-timeout-seconds
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.controller.logFormat }}
-        - --logformat
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.controller.logLevel }}
-        - --loglevel
-        - {{ . | quote }}
-        {{- end }}
         {{- with .Values.controller.extraArgs }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -110,6 +82,8 @@ spec:
           {{- end }}
           - name: ARGOCD_CONTROLLER_REPLICAS
             value: {{ .Values.controller.replicas | quote }}
+          - name: ARGOCD_APPLICATION_CONTROLLER_NAME
+            value: {{ template "argo-cd.controller.fullname" . }}
           - name: ARGOCD_RECONCILIATION_TIMEOUT
             valueFrom:
               configMapKeyRef:
@@ -122,6 +96,18 @@ spec:
                 name: argocd-cm
                 key: timeout.hard.reconciliation
                 optional: true
+          - name: ARGOCD_RECONCILIATION_JITTER
+            valueFrom:
+              configMapKeyRef:
+                key: timeout.reconciliation.jitter
+                name: argocd-cm
+                optional: true
+          - name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.repo.error.grace.period.seconds
+                optional: true
           - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
             valueFrom:
               configMapKeyRef:
@@ -170,6 +156,30 @@ spec:
                 name: argocd-cmd-params-cm
                 key: controller.self.heal.timeout.seconds
                 optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.self.heal.backoff.timeout.seconds
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.self.heal.backoff.factor
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.self.heal.backoff.cap.seconds
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SYNC_TIMEOUT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.sync.timeout.seconds
+                optional: true
           - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
             valueFrom:
               configMapKeyRef:
@@ -215,14 +225,30 @@ spec:
           - name: REDIS_USERNAME
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
                 key: redis-username
                 optional: true
           - name: REDIS_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
+                {{- if .Values.externalRedis.host }}
                 key: redis-password
+                {{- else }}
+                key: auth
+                {{- end }}
+                optional: true
+          - name: REDIS_SENTINEL_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                key: redis-sentinel-username
+                optional: true
+          - name: REDIS_SENTINEL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                key: redis-sentinel-password
                 optional: true
           - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
             valueFrom:
@@ -236,6 +262,18 @@ spec:
                 name: argocd-cmd-params-cm
                 key: otlp.address
                 optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.insecure
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.headers
+                optional: true
           - name: ARGOCD_APPLICATION_NAMESPACES
             valueFrom:
               configMapKeyRef:
@@ -254,6 +292,50 @@ spec:
                 name: argocd-cmd-params-cm
                 key: controller.kubectl.parallelism.limit
                 optional: true
+          - name: ARGOCD_K8SCLIENT_RETRY_MAX
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.k8sclient.retry.max
+                optional: true
+          - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.k8sclient.retry.base.backoff
+                optional: true
+          - name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.diff.server.side
+                optional: true
+          - name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.ignore.normalizer.jq.timeout
+                optional: true
+          - name: ARGOCD_HYDRATOR_ENABLED
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: hydrator.enabled
+                optional: true
+          - name: ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.cluster.cache.batch.events.processing
+                optional: true
+          - name: ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: controller.cluster.cache.events.processing.interval
+                optional: true
+          - name: KUBECACHEDIR
+            value: /tmp/kubecache
         {{- with .Values.controller.envFrom }}
         envFrom:
           {{- toYaml . | nindent 10 }}
@@ -286,6 +368,10 @@ spec:
           name: argocd-repo-server-tls
         - mountPath: /home/argocd
           name: argocd-home
+        - name: argocd-cmd-params-cm
+          mountPath: /home/argocd/params
+        - name: argocd-application-controller-tmp
+          mountPath: /tmp
       {{- with .Values.controller.extraContainers }}
         {{- tpl (toYaml .) $ | nindent 6 }}
       {{- end }}
@@ -321,7 +407,14 @@ spec:
         {{- toYaml . | nindent 6 }}
       {{- end }}
       - name: argocd-home
+        {{- if .Values.controller.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.controller.emptyDir.sizeLimit }}
+        {{- else }}
         emptyDir: {}
+        {{- end }}
+      - emptyDir: {}
+        name: argocd-application-controller-tmp
       - name: argocd-repo-server-tls
         secret:
           secretName: argocd-repo-server-tls
@@ -333,6 +426,13 @@ spec:
             path: tls.key
           - key: ca.crt
             path: ca.crt
+      - name: argocd-cmd-params-cm
+        configMap:
+          optional: true
+          name: argocd-cmd-params-cm
+          items:
+          - key: controller.profile.enabled
+            path: profiler.enabled
       {{- if .Values.controller.hostNetwork }}
       hostNetwork: {{ .Values.controller.hostNetwork }}
       {{- end }}
@@ -341,3 +441,4 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       dnsPolicy: {{ .Values.controller.dnsPolicy }}
+{{- end }}

charts/argo-cd/templates/argocd-applicationset/certificate.yaml

@@ -9,14 +9,14 @@ metadata:
     {{- end }}
   {{- end }}
   name: {{ template "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
 spec:
-  secretName: {{ .Values.applicationSet.certificate.secretName }}
+  secretName: argocd-applicationset-controller-tls
-  commonName: {{ .Values.applicationSet.certificate.domain | quote }}
+  commonName: {{ .Values.applicationSet.certificate.domain | default .Values.global.domain }}
   dnsNames:
-    - {{ .Values.applicationSet.certificate.domain | quote }}
+    - {{ .Values.applicationSet.certificate.domain | default .Values.global.domain }}
     {{- range .Values.applicationSet.certificate.additionalHosts }}
     - {{ . | quote }}
     {{- end }}

charts/argo-cd/templates/argocd-applicationset/clusterrole.yaml

@@ -0,0 +1,90 @@
+{{- if .Values.applicationSet.allowAnyNamespace }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.applicationSet.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
+rules:
+  - apiGroups:
+    - argoproj.io
+    resources:
+    - applications
+    - applicationsets
+    - applicationsets/finalizers
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+  - apiGroups:
+    - argoproj.io
+    resources:
+    - applicationsets/status
+    verbs:
+    - get
+    - patch
+    - update
+  - apiGroups:
+    - argoproj.io
+    resources:
+    - appprojects
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - events
+    verbs:
+    - create
+    - get
+    - list
+    - patch
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    verbs:
+    - create
+    - update
+    - delete
+    - get
+    - list
+    - patch
+    - watch
+  - apiGroups:
+    - ""
+    resources:
+    - secrets
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - apps
+    - extensions
+    resources:
+    - deployments
+    verbs:
+    - get
+    - list
+    - watch
+  - apiGroups:
+    - coordination.k8s.io
+    resources:
+    - leases
+    verbs:
+    - create
+    - delete
+    - get
+    - list
+    - patch
+    - update
+    - watch
+{{- end }}

charts/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.applicationSet.allowAnyNamespace }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "argo-cd.applicationSet.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "argo-cd.applicationSet.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "argo-cd.applicationSet.serviceAccountName" . }}
+    namespace: {{ include "argo-cd.namespace" . }}
+{{- end }}

charts/argo-cd/templates/argocd-applicationset/deployment.yaml

@@ -1,4 +1,3 @@
-{{- if .Values.applicationSet.enabled }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -9,7 +8,7 @@ metadata:
     {{- end }}
   {{- end }}
   name: {{ include "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
 spec:
@@ -17,7 +16,7 @@ spec:
   strategy:
     {{- trim . | nindent 4 }}
   {{- end }}
-  replicas: {{ .Values.applicationSet.replicas | default .Values.applicationSet.replicaCount }}
+  replicas: {{ .Values.applicationSet.replicas }}
   revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
   selector:
     matchLabels:
@@ -37,6 +36,9 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- with .Values.applicationSet.runtimeClassName | default .Values.global.runtimeClassName }}
+      runtimeClassName: {{ . }}
+      {{- end }}
       {{- with .Values.applicationSet.imagePullSecrets | default .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -55,7 +57,8 @@ spec:
       {{- if .Values.applicationSet.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ .Values.applicationSet.terminationGracePeriodSeconds }}
       {{- end }}
-      serviceAccountName: {{ include "argo-cd.applicationSetServiceAccountName" . }}
+      serviceAccountName: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.applicationSet.automountServiceAccountToken }}
       containers:
         - name: {{ .Values.applicationSet.name }}
           image: {{ default .Values.global.image.repository .Values.applicationSet.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.applicationSet.image.tag }}
@@ -65,20 +68,6 @@ spec:
             - --metrics-addr=:{{ .Values.applicationSet.containerPorts.metrics }}
             - --probe-addr=:{{ .Values.applicationSet.containerPorts.probe }}
             - --webhook-addr=:{{ .Values.applicationSet.containerPorts.webhook }}
-            {{- with .Values.applicationSet.args.policy }}
-            - --policy={{ . }}
-            {{- end }}
-            {{- with .Values.applicationSet.args.dryRun }}
-            - --dry-run={{ . }}
-            {{- end }}
-            {{- with .Values.applicationSet.logFormat }}
-            - --logformat
-            - {{ . }}
-            {{- end }}
-            {{- with .Values.applicationSet.logLevel }}
-            - --loglevel
-            - {{ . }}
-            {{- end }}
             {{- with .Values.applicationSet.extraArgs }}
               {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -162,6 +151,12 @@ spec:
                   key: applicationsetcontroller.enable.progressive.syncs
                   name: argocd-cmd-params-cm
                   optional: true
+            - name: ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE
+              valueFrom:
+                configMapKeyRef:
+                  key: applicationsetcontroller.enable.tokenref.strict.mode
+                  name: argocd-cmd-params-cm
+                  optional: true
             - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
               valueFrom:
                 configMapKeyRef:
@@ -210,6 +205,24 @@ spec:
                   name: argocd-cmd-params-cm
                   key: applicationsetcontroller.allowed.scm.providers
                   optional: true
+            - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
+              valueFrom:
+                configMapKeyRef:
+                  name: argocd-cmd-params-cm
+                  key: applicationsetcontroller.enable.scm.providers
+                  optional: true
+            - name: ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT
+              valueFrom:
+                configMapKeyRef:
+                  name: argocd-cmd-params-cm
+                  key: applicationsetcontroller.webhook.parallelism.limit
+                  optional: true
+            - name: ARGOCD_APPLICATIONSET_CONTROLLER_REQUEUE_AFTER
+              valueFrom:
+                configMapKeyRef:
+                  key: applicationsetcontroller.requeue.after
+                  name: argocd-cmd-params-cm
+                  optional: true
           {{- with .Values.applicationSet.extraEnvFrom }}
           envFrom:
             {{- toYaml . | nindent 12 }}
@@ -310,9 +323,19 @@ spec:
           configMap:
             name: argocd-gpg-keys-cm
         - name: gpg-keyring
+          {{- if .Values.applicationSet.emptyDir.sizeLimit }}
+          emptyDir:
+            sizeLimit: {{ .Values.applicationSet.emptyDir.sizeLimit }}
+          {{- else }}
           emptyDir: {}
+          {{- end }}
         - name: tmp
+          {{- if .Values.applicationSet.emptyDir.sizeLimit }}
+          emptyDir:
+            sizeLimit: {{ .Values.applicationSet.emptyDir.sizeLimit }}
+          {{- else }}
           emptyDir: {}
+          {{- end }}
         - name: argocd-repo-server-tls
           secret:
             secretName: argocd-repo-server-tls
@@ -329,4 +352,3 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       dnsPolicy: {{ .Values.applicationSet.dnsPolicy }}
-{{- end }}

charts/argo-cd/templates/argocd-applicationset/ingress.yaml

@@ -0,0 +1,62 @@
+{{- if .Values.applicationSet.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "argo-cd.applicationSet.fullname" . }}
+  namespace: {{ include  "argo-cd.namespace" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
+    {{- with .Values.applicationSet.ingress.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.applicationSet.ingress.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- with .Values.applicationSet.ingress.ingressClassName }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.applicationSet.ingress.hostname | default .Values.global.domain }}
+      http:
+        paths:
+          {{- with .Values.applicationSet.ingress.extraPaths }}
+            {{- tpl (toYaml .) $ | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.applicationSet.ingress.path }}
+            pathType: {{ .Values.applicationSet.ingress.pathType }}
+            backend:
+              service:
+                name: {{ include "argo-cd.applicationSet.fullname" . }}
+                port:
+                  number: {{ .Values.applicationSet.service.port }}
+    {{- range .Values.applicationSet.ingress.extraHosts }}
+    - host: {{ .name | quote }}
+      http:
+        paths:
+          - path: {{ default $.Values.applicationSet.ingress.path .path }}
+            pathType: {{ default $.Values.applicationSet.ingress.pathType .pathType }}
+            backend:
+              service:
+                name: {{ include "argo-cd.applicationSet.fullname" $ }}
+                port:
+                  number: {{ $.Values.applicationSet.service.port }}
+    {{- end }}
+    {{- with .Values.applicationSet.ingress.extraRules }}
+      {{- tpl (toYaml .) $ | nindent 4 }}
+    {{- end }}
+  {{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }}
+  tls:
+    {{- if .Values.applicationSet.ingress.tls }}
+    - hosts:
+      - {{ .Values.applicationSet.ingress.hostname | default .Values.global.domain }}
+      secretName: argocd-applicationset-controller-tls
+    {{- end }}
+    {{- with .Values.applicationSet.ingress.extraTls }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/argo-cd/templates/argocd-applicationset/metrics.yaml

@@ -1,9 +1,9 @@
-{{- if and .Values.applicationSet.enabled .Values.applicationSet.metrics.enabled }}
+{{- if .Values.applicationSet.metrics.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "argo-cd.applicationSet.fullname" . }}-metrics
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" "metrics") | nindent 4 }}
     {{- with .Values.applicationSet.metrics.service.labels }}
@@ -24,6 +24,7 @@ spec:
   {{- if and .Values.applicationSet.metrics.service.clusterIP (eq .Values.applicationSet.metrics.service.type "ClusterIP") }}
   clusterIP: {{ .Values.applicationSet.metrics.service.clusterIP }}
   {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name:  {{ .Values.applicationSet.metrics.service.portName }}
     protocol: TCP

charts/argo-cd/templates/argocd-applicationset/networkpolicy.yaml

@@ -1,14 +1,14 @@
-{{- if and .Values.applicationSet.enabled .Values.global.networkPolicy.create (or .Values.applicationSet.metrics.enabled .Values.applicationSet.webhook.ingress.enabled) }}
+{{- if and .Values.global.networkPolicy.create (or .Values.applicationSet.metrics.enabled .Values.applicationSet.ingress.enabled) }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ template "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
 spec:
   ingress:
-  {{- if .Values.applicationSet.webhook.ingress.enabled }}
+  {{- if .Values.applicationSet.ingress.enabled }}
   - ports:
     - port: webhook
   {{- end }}

charts/argo-cd/templates/argocd-applicationset/pdb.yaml

@@ -1,9 +1,9 @@
-{{- if and .Values.applicationSet.enabled .Values.applicationSet.pdb.enabled }}
+{{- if .Values.applicationSet.pdb.enabled }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
     {{- with .Values.applicationSet.pdb.labels }}

charts/argo-cd/templates/argocd-applicationset/role.yaml

@@ -1,9 +1,8 @@
-{{- if .Values.applicationSet.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ include "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
 rules:
@@ -35,6 +34,8 @@ rules:
     - appprojects
     verbs:
     - get
+    - list
+    - watch
   - apiGroups:
     - ""
     resources:
@@ -86,4 +87,3 @@ rules:
     - patch
     - update
     - watch
-{{- end }}

charts/argo-cd/templates/argocd-applicationset/rolebinding.yaml

@@ -1,17 +1,15 @@
-{{- if .Values.applicationSet.enabled }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "argo-cd.applicationSet.fullname" . }}
+  name: {{ include "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "argo-cd.applicationSet.fullname" . }}
+  name: {{ include "argo-cd.applicationSet.fullname" . }}
 subjects:
   - kind: ServiceAccount
-    name: {{ template "argo-cd.applicationSetServiceAccountName" . }}
+    name: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "argo-cd.namespace" . }}
-{{- end }}

charts/argo-cd/templates/argocd-applicationset/service.yaml

@@ -1,4 +1,3 @@
-{{- if .Values.applicationSet.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -9,7 +8,7 @@ metadata:
   {{- end }}
 {{- end }}
   name: {{ template "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
 {{- with .Values.applicationSet.service.labels }}
@@ -17,10 +16,10 @@ metadata:
 {{- end }}
 spec:
   type: {{ .Values.applicationSet.service.type }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.applicationSet.service.portName }}
     port: {{ .Values.applicationSet.service.port }}
     targetPort: webhook
   selector:
     {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 4 }}
-{{- end }}

charts/argo-cd/templates/argocd-applicationset/serviceaccount.yaml

@@ -1,19 +1,19 @@
-{{- if and .Values.applicationSet.enabled .Values.applicationSet.serviceAccount.create }}
+{{- if .Values.applicationSet.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.applicationSet.serviceAccount.automountServiceAccountToken }}
 metadata:
-  name: {{ template "argo-cd.applicationSetServiceAccountName" . }}
+  name: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
-{{- if .Values.applicationSet.serviceAccount.annotations }}
+  {{- with .Values.applicationSet.serviceAccount.annotations }}
   annotations:
-  {{- range $key, $value := .Values.applicationSet.serviceAccount.annotations }}
+    {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
-  {{- range $key, $value := .Values.applicationSet.serviceAccount.labels }}
+    {{- with .Values.applicationSet.serviceAccount.labels }}
-    {{ $key }}: {{ $value | quote }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

charts/argo-cd/templates/argocd-applicationset/servicemonitor.yaml

@@ -1,10 +1,9 @@
-{{- if .Values.applicationSet.enabled }}
 {{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.applicationSet.metrics.enabled .Values.applicationSet.metrics.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.applicationSet.metrics.serviceMonitor.namespace | quote }}
+  namespace: {{ default (include  "argo-cd.namespace" .) .Values.applicationSet.metrics.serviceMonitor.namespace | quote }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
     {{- with .Values.applicationSet.metrics.serviceMonitor.selector }}
@@ -23,6 +22,9 @@ spec:
       {{- with .Values.applicationSet.metrics.serviceMonitor.interval }}
       interval: {{ . }}
       {{- end }}
+      {{- with .Values.applicationSet.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
       path: /metrics
       {{- with .Values.applicationSet.metrics.serviceMonitor.relabelings }}
       relabelings:
@@ -32,6 +34,7 @@ spec:
       metricRelabelings:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      honorLabels: {{ .Values.applicationSet.metrics.serviceMonitor.honorLabels }}
       {{- with .Values.applicationSet.metrics.serviceMonitor.scheme }}
       scheme: {{ . }}
       {{- end }}
@@ -41,9 +44,8 @@ spec:
       {{- end }}
   namespaceSelector:
     matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "argo-cd.namespace" . }}
   selector:
     matchLabels:
       {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.applicationSet.name "name" "metrics") | nindent 6 }}
 {{- end }}
-{{- end }}

charts/argo-cd/templates/argocd-applicationset/webhook-ingress.yaml

@@ -1,73 +0,0 @@
-{{- if and .Values.applicationSet.enabled .Values.applicationSet.webhook.ingress.enabled -}}
-{{- $servicePort := .Values.applicationSet.service.portName -}}
-{{- $paths := .Values.applicationSet.webhook.ingress.paths -}}
-{{- $extraPaths := .Values.applicationSet.webhook.ingress.extraPaths -}}
-{{- $pathType := .Values.applicationSet.webhook.ingress.pathType -}}
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: {{ include "argo-cd.applicationSet.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-    {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
-    {{- with .Values.applicationSet.webhook.ingress.labels }}
-      {{- toYaml . | nindent 4 }}
-    {{- end }}
-  {{- with .Values.applicationSet.webhook.ingress.annotations }}
-  annotations:
-    {{- range $key, $value := . }}
-    {{ $key }}: {{ $value | quote }}
-    {{- end }}
-  {{- end }}
-spec:
-  {{- with .Values.applicationSet.webhook.ingress.ingressClassName }}
-  ingressClassName: {{ . }}
-  {{- end }}
-  rules:
-  {{- if .Values.applicationSet.webhook.ingress.hosts }}
-    {{- range $host := .Values.applicationSet.webhook.ingress.hosts }}
-    - host: {{ $host }}
-      http:
-        paths:
-          {{- with $extraPaths }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-          {{- range $p := $paths }}
-          - path: {{ $p }}
-            pathType: {{ $pathType }}
-            backend:
-              service:
-                name: {{ include "argo-cd.applicationSet.fullname" $ }}
-                port:
-                  {{- if kindIs "float64" $servicePort }}
-                  number: {{ $servicePort }}
-                  {{- else }}
-                  name: {{ $servicePort }}
-                  {{- end }}
-          {{- end -}}
-    {{- end -}}
-  {{- else }}
-    - http:
-        paths:
-          {{- with $extraPaths }}
-          {{- toYaml . | nindent 10 }}
-          {{- end }}
-          {{- range $p := $paths }}
-          - path: {{ $p }}
-            pathType: {{ $pathType }}
-            backend:
-              service:
-                name: {{ include "argo-cd.applicationSet.fullname" $ }}
-                port:
-                  {{- if kindIs "float64" $servicePort }}
-                  number: {{ $servicePort }}
-                  {{- else }}
-                  name: {{ $servicePort }}
-                  {{- end }}
-          {{- end -}}
-  {{- end -}}
-  {{- with .Values.applicationSet.webhook.ingress.tls }}
-  tls:
-    {{- toYaml . | nindent 4 }}
-  {{- end -}}
-{{- end -}}

charts/argo-cd/templates/argocd-commit-server/deployment.yaml

@@ -0,0 +1,238 @@
+{{- if .Values.commitServer.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  {{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.commitServer.deploymentAnnotations) }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  name: {{ template "argo-cd.commitServer.fullname" . }}
+  namespace: {{ include  "argo-cd.namespace" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.commitServer.name "name" .Values.commitServer.name) | nindent 4 }}
+spec:
+  {{- with include "argo-cd.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.commitServer.deploymentStrategy) }}
+  strategy:
+    {{- trim . | nindent 4 }}
+  {{- end }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  selector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.commitServer.name) | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.commitServer.podAnnotations) }}
+        {{- range $key, $value := . }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+        {{- end }}
+      labels:
+        {{- include "argo-cd.labels" (dict "context" . "component" .Values.commitServer.name "name" .Values.commitServer.name) | nindent 8 }}
+        {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.commitServer.podLabels) }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.commitServer.runtimeClassName | default .Values.global.runtimeClassName }}
+      runtimeClassName: {{ . }}
+      {{- end }}
+      {{- with .Values.commitServer.imagePullSecrets | default .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.commitServer.priorityClassName | default .Values.global.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- with .Values.commitServer.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ . }}
+      {{- end }}
+      serviceAccountName: {{ include "argo-cd.commitServer.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.commitServer.automountServiceAccountToken }}
+      containers:
+      - name: {{ .Values.commitServer.name }}
+        image: {{ default .Values.global.image.repository .Values.commitServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.commitServer.image.tag }}
+        imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.commitServer.image.imagePullPolicy }}
+        args:
+        - /usr/local/bin/argocd-commit-server
+        {{- with .Values.commitServer.extraArgs }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        env:
+          {{- with (concat .Values.global.env .Values.commitServer.extraEnv) }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+          - name: ARGOCD_COMMIT_SERVER_LISTEN_ADDRESS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: commitserver.listen.address
+                optional: true
+          - name: ARGOCD_COMMIT_SERVER_METRICS_LISTEN_ADDRESS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: commitserver.metrics.listen.address
+                optional: true
+          - name: ARGOCD_COMMIT_SERVER_LOGFORMAT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: commitserver.log.format
+                optional: true
+          - name: ARGOCD_COMMIT_SERVER_LOGLEVEL
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: commitserver.log.level
+                optional: true
+          - name: ARGOCD_LOG_FORMAT_TIMESTAMP
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: log.format.timestamp
+                optional: true
+        {{- with .Values.commitServer.envFrom }}
+        envFrom:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        ports:
+        - containerPort: 8086
+          name: server
+          protocol: TCP
+        - containerPort: 8087
+          name: metrics
+          protocol: TCP
+        {{- if .Values.commitServer.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /healthz?full=true
+            port: 8087
+          initialDelaySeconds: {{ .Values.commitServer.livenessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.commitServer.livenessProbe.periodSeconds }}
+          failureThreshold: {{ .Values.commitServer.livenessProbe.failureThreshold }}
+          timeoutSeconds: {{ .Values.commitServer.livenessProbe.timeoutSeconds }}
+        {{- end }}
+        {{- if .Values.commitServer.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8087
+          initialDelaySeconds: {{ .Values.commitServer.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.commitServer.readinessProbe.periodSeconds }}
+          failureThreshold: {{ .Values.commitServer.readinessProbe.failureThreshold }}
+          timeoutSeconds: {{ .Values.commitServer.readinessProbe.timeoutSeconds }}
+        {{- end }}
+        resources:
+          {{- toYaml .Values.commitServer.resources | nindent 10 }}
+        {{- with .Values.commitServer.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        {{- with .Values.commitServer.lifecycle }}
+        lifecycle:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        volumeMounts:
+        {{- with .Values.commitServer.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        - name: ssh-known-hosts
+          mountPath: /app/config/ssh
+        - name: tls-certs
+          mountPath: /app/config/tls
+        - name: gpg-keys
+          mountPath: /app/config/gpg/source
+        - name: gpg-keyring
+          mountPath: /app/config/gpg/keys
+        # We need a writeable temp directory for the askpass socket file.
+        - name: tmp
+          mountPath: /tmp
+      initContainers:
+      - command:
+        - /bin/cp
+        - -n
+        - /usr/local/bin/argocd
+        - /var/run/argocd/argocd-cmp-server
+        image: {{ default .Values.global.image.repository .Values.commitServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.commitServer.image.tag }}
+        name: copyutil
+        resources:
+          {{- toYaml .Values.commitServer.resources | nindent 10 }}
+        {{- with .Values.commitServer.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        volumeMounts:
+        - mountPath: /var/run/argocd
+          name: var-files
+      volumes:
+        {{- with .Values.commitServer.extraVolumes }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        - name: ssh-known-hosts
+          configMap:
+            name: argocd-ssh-known-hosts-cm
+        - name: tls-certs
+          configMap:
+            name: argocd-tls-certs-cm
+        - name: gpg-keys
+          configMap:
+            name: argocd-gpg-keys-cm
+        - name: gpg-keyring
+          emptyDir: {}
+        - name: tmp
+          emptyDir: {}
+        - name: argocd-commit-server-tls
+          secret:
+            secretName: argocd-commit-server-tls
+            optional: true
+            items:
+            - key: tls.crt
+              path: tls.crt
+            - key: tls.key
+              path: tls.key
+            - key: ca.crt
+              path: ca.crt
+        - emptyDir: {}
+          name: var-files
+      {{- with include "argo-cd.affinity" (dict "context" . "component" .Values.commitServer) }}
+      affinity:
+        {{- trim . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.commitServer.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.commitServer.tolerations | default .Values.global.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.commitServer.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- range $constraint := . }}
+      - {{ toYaml $constraint | nindent 8 | trim }}
+        {{- if not $constraint.labelSelector }}
+        labelSelector:
+          matchLabels:
+            {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.commitServer.name) | nindent 12 }}
+        {{- end }}
+        {{- end }}
+      {{- end }}
+      {{- if .Values.commitServer.hostNetwork }}
+      hostNetwork: {{ .Values.commitServer.hostNetwork }}
+      {{- end }}
+      {{- with .Values.commitServer.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      dnsPolicy: {{ .Values.commitServer.dnsPolicy }}
+{{- end }}

charts/argo-cd/templates/argocd-commit-server/metrics.yaml

@@ -0,0 +1,35 @@
+{{- if and .Values.commitServer.enabled .Values.commitServer.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "argo-cd.commitServer.fullname" . }}-metrics
+  namespace: {{ include  "argo-cd.namespace" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.commitServer.name "name" "metrics") | nindent 4 }}
+    {{- with .Values.commitServer.metrics.service.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if or .Values.commitServer.metrics.service.annotations .Values.global.addPrometheusAnnotations }}
+  annotations:
+    {{- if .Values.global.addPrometheusAnnotations }}
+    prometheus.io/port: {{ .Values.commitServer.metrics.service.servicePort | quote }}
+    prometheus.io/scrape: "true"
+    {{- end }}
+    {{- range $key, $value := .Values.commitServer.metrics.service.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  type: {{ .Values.commitServer.metrics.service.type }}
+  {{- if and .Values.commitServer.metrics.service.clusterIP (eq .Values.commitServer.metrics.service.type "ClusterIP") }}
+  clusterIP: {{ .Values.commitServer.metrics.service.clusterIP }}
+  {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
+  ports:
+  - name:  {{ .Values.commitServer.metrics.service.portName }}
+    protocol: TCP
+    port: {{ .Values.commitServer.metrics.service.servicePort }}
+    targetPort: 8087
+  selector:
+    {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.commitServer.name) | nindent 4 }}
+{{- end }}

charts/argo-cd/templates/argocd-commit-server/networkpolicy.yaml

@@ -0,0 +1,25 @@
+{{- if and .Values.commitServer.enabled .Values.global.networkPolicy.create }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "argo-cd.commitServer.fullname" . }}
+  namespace: {{ include  "argo-cd.namespace" . }}
+spec:
+  podSelector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.commitServer.name) | nindent 6 }}
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 14 }}
+      ports:
+        - protocol: TCP
+          port: 8086
+    - from:
+        - namespaceSelector: { }
+      ports:
+        - port: 8087
+{{- end }}

charts/argo-cd/templates/argocd-commit-server/service.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.commitServer.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "argo-cd.commitServer.fullname" . }}
+  namespace: {{ include  "argo-cd.namespace" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.commitServer.name "name" .Values.commitServer.name) | nindent 4 }}
+    {{- with .Values.commitServer.service.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.commitServer.service.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+spec:
+  ports:
+  - name: server
+    protocol: TCP
+    port: 8086
+    targetPort: 8086
+  selector:
+    {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.commitServer.name) | nindent 4 }}
+{{- end }}

charts/argo-cd/templates/argocd-commit-server/serviceaccount.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.commitServer.enabled .Values.commitServer.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.commitServer.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ include "argo-cd.commitServer.serviceAccountName" . }}
+  namespace: {{ include  "argo-cd.namespace" . }}
+  {{- with .Values.commitServer.serviceAccount.annotations }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.commitServer.name "name" .Values.commitServer.name) | nindent 4 }}
+    {{- with .Values.commitServer.serviceAccount.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}

charts/argo-cd/templates/argocd-configs/argocd-cm.yaml

@@ -1,12 +1,12 @@
-{{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
+{{- if .Values.configs.cm.create }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cm") | nindent 4 }}
-  {{- with (mergeOverwrite (deepCopy .Values.configs.cm.annotations) (.Values.server.configAnnotations | default dict)) }}
+  {{- with .Values.configs.cm.annotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}

charts/argo-cd/templates/argocd-configs/argocd-cmd-params-cm.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cmd-params-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cmd-params-cm") | nindent 4 }}
   {{- if .Values.configs.params.annotations }}

charts/argo-cd/templates/argocd-configs/argocd-cmp-cm.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cmp-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "cmp-cm") | nindent 4 }}
   {{- with .Values.configs.cmp.annotations }}

charts/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-dex-server-tls
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" "dex-server-tls") | nindent 4 }}
     {{- with .Values.dex.certificateSecret.labels }}

charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml

@@ -2,16 +2,16 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-gpg-keys-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "name" "gpg-keys-cm") | nindent 4 }}
-  {{ with (mergeOverwrite (deepCopy .Values.configs.gpg.annotations) (.Values.configs.gpgKeysAnnotations | default dict)) -}}
+  {{- with .Values.configs.gpg.annotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
-{{ with (mergeOverwrite (deepCopy .Values.configs.gpg.keys) (.Values.configs.gpgKeys | default dict)) -}}
+{{- with .Values.configs.gpg.keys }}
 data:
   {{- toYaml . | nindent 2 }}
 {{- end }}

charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml

@@ -3,12 +3,12 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-notifications-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
 data:
   context: |
-    argocdUrl: {{ .Values.notifications.argocdUrl | quote }}
+    argocdUrl: {{ .Values.notifications.argocdUrl | default (printf "https://%s" .Values.global.domain) }}
     {{- with .Values.notifications.context }}
       {{- toYaml . | nindent 4 }}
     {{- end }}

charts/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml

@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: argocd-notifications-secret
+  name: {{ .Values.notifications.secret.name }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
     {{- with .Values.notifications.secret.labels }}

charts/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml

@@ -1,18 +1,18 @@
-{{- if (hasKey .Values.server "rbacConfigCreate") | ternary .Values.server.rbacConfigCreate .Values.configs.rbac.create }}
+{{- if .Values.configs.rbac.create }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-rbac-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "rbac-cm") | nindent 4 }}
-  {{- with (mergeOverwrite (deepCopy .Values.configs.rbac.annotations) (.Values.server.rbacConfigAnnotations | default dict)) }}
+  {{- with .Values.configs.rbac.annotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
-{{- with (mergeOverwrite (deepCopy (omit .Values.configs.rbac "create" "annotations")) (.Values.server.rbacConfig | default dict)) }}
+{{- with (omit .Values.configs.rbac "create" "annotations") }}
 data:
   {{- toYaml . | nindent 2 }}
 {{- end }}

charts/argo-cd/templates/argocd-configs/argocd-repo-server-tls-secret.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-repo-server-tls
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "repo-server-tls") | nindent 4 }}
     {{- with .Values.repoServer.certificateSecret.labels }}

charts/argo-cd/templates/argocd-configs/argocd-secret.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-secret
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "secret") | nindent 4 }}
     {{- with .Values.configs.secret.labels }}
@@ -16,7 +16,7 @@ metadata:
     {{- end }}
   {{- end }}
 type: Opaque
-{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.argocdServerTlsConfig .Values.configs.secret.extra) }}
+{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.extra) }}
 # Setting a blank data again will wipe admin password/key/cert
 data:
   {{- with .Values.configs.secret.githubSecret }}
@@ -34,9 +34,9 @@ data:
   {{- with .Values.configs.secret.gogsSecret }}
   webhook.gogs.secret: {{ . | b64enc }}
   {{- end }}
-  {{- with .Values.configs.secret.argocdServerTlsConfig }}
+  {{- if and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password }}
-  tls.key: {{ .key | b64enc }}
+  webhook.azuredevops.username: {{ .Values.configs.secret.azureDevops.username | b64enc }}
-  tls.crt: {{ .crt | b64enc }}
+  webhook.azuredevops.password: {{ .Values.configs.secret.azureDevops.password | b64enc }}
   {{- end }}
   {{- if .Values.configs.secret.argocdServerAdminPassword }}
   admin.password: {{ .Values.configs.secret.argocdServerAdminPassword | b64enc }}

charts/argo-cd/templates/argocd-configs/argocd-server-tls-secret.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-server-tls
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "server-tls") | nindent 4 }}
     {{- with .Values.server.certificateSecret.labels }}

charts/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml

@@ -1,11 +1,12 @@
+{{- if .Values.configs.ssh.create }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-ssh-known-hosts-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "name" "ssh-known-hosts-cm") | nindent 4 }}
-  {{- with (mergeOverwrite (deepCopy .Values.configs.ssh.annotations) (.Values.configs.knownHostsAnnotations | default dict)) }}
+  {{- with .Values.configs.ssh.annotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
@@ -13,11 +14,8 @@ metadata:
   {{- end }}
 data:
   ssh_known_hosts: |
-    {{- if hasKey .Values.configs "knownHosts" }}
-      {{- .Values.configs.knownHosts.data.ssh_known_hosts | nindent 4 }}
-    {{- else }}
     {{- .Values.configs.ssh.knownHosts | nindent 4 }}
-    {{- end }}
     {{- with .Values.configs.ssh.extraHosts }}
       {{- . | nindent 4 }}
     {{- end }}
+{{- end }}

charts/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-styles-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 data:

charts/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml

@@ -1,21 +1,17 @@
+{{- if .Values.configs.tls.create }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-tls-certs-cm
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "name" "tls-certs-cm") | nindent 4 }}
-  {{- with (mergeOverwrite (deepCopy .Values.configs.tls.annotations) (.Values.configs.tlsCertsAnnotations | default dict)) }}
+  {{- with .Values.configs.tls.annotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
-{{- if hasKey .Values.configs "tlsCerts" }}
-  {{- with .Values.configs.tlsCerts }}
-    {{- toYaml . | nindent 0 }}
-  {{- end }}
-{{- else }}
 {{- with .Values.configs.tls.certificates }}
 data:
   {{- toYaml . | nindent 2 }}

charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml

@@ -1,17 +1,17 @@
-{{- range .Values.configs.clusterCredentials }}
+{{- range $cluster_key, $cluster_value := .Values.configs.clusterCredentials }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "argo-cd.name" $ }}-cluster-{{ .name }}
+  name: {{ include "argo-cd.name" $ }}-cluster-{{ $cluster_key }}
-  namespace: {{ $.Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" $ | quote }}
   labels:
     {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
-    {{- with .labels }}
+    {{- with $cluster_value.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
     argocd.argoproj.io/secret-type: cluster
-  {{- with .annotations }}
+  {{- with $cluster_value.annotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
@@ -19,17 +19,20 @@ metadata:
   {{- end }}
 type: Opaque
 stringData:
-  name: {{ required "A valid .Values.configs.clusterCredentials[].name entry is required!" .name }}
+  {{- if $cluster_value.shard }}
-  server: {{ required "A valid .Values.configs.clusterCredentials[].server entry is required!" .server }}
+  shard: {{ $cluster_value.shard | quote }}
-  {{- if .namespaces }}
+  {{- end }}
-  namespaces: {{ .namespaces }}
+  name: {{ $cluster_key }}
-    {{- if .clusterResources }}
+  server: {{ required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.server entry is required!" $cluster_value.server }}
-  clusterResources: {{ .clusterResources | quote }}
+  {{- if $cluster_value.namespaces }}
+  namespaces: {{ $cluster_value.namespaces }}
+    {{- if $cluster_value.clusterResources }}
+  clusterResources: {{ $cluster_value.clusterResources | quote }}
     {{- end }}
   {{- end }}
-  {{- if .project }}
+  {{- if $cluster_value.project }}
-  project: {{ .project | quote }}
+  project: {{ $cluster_value.project | quote }}
   {{- end }}
   config: |
-    {{- required "A valid .Values.configs.clusterCredentials[].config entry is required!" .config | toRawJson | nindent 4 }}
+    {{- required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.config entry is required!" $cluster_value.config | toRawJson | nindent 4 }}
 {{- end }}

charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml

@@ -2,8 +2,8 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "argo-cd.redis.fullname" . }}
+  name: argocd-redis
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
   {{- with .Values.externalRedis.secretAnnotations }}

charts/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-repo-creds-{{ $repo_cred_key }}
-  namespace: {{ $.Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" $ | quote }}
   labels:
     argocd.argoproj.io/secret-type: repo-creds
     {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}

charts/argo-cd/templates/argocd-configs/repository-secret.yaml

@@ -4,7 +4,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-repo-{{ $repo_key }}
-  namespace: {{ $.Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" $ | quote }}
   labels:
     argocd.argoproj.io/secret-type: repository
     {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}

charts/argo-cd/templates/argocd-notifications/clusterrole.yaml

@@ -10,13 +10,43 @@ rules:
     {{- toYaml . | nindent 2 }}
   {{- end }}
   - apiGroups:
-    - "argoproj.io"
+    - argoproj.io
     resources:
-    - "applications"
+    - applications
+    - appprojects
     verbs:
     - get
     - list
     - watch
     - update
     - patch
+  - apiGroups:
+    - ""
+    resources:
+    - configmaps
+    - secrets
+    verbs:
+    - list
+    - watch
+    {{- if (index .Values.configs.params "application.namespaces") }}
+    - create
+    {{- end }}
+  {{- if .Values.notifications.cm.create }}
+  - apiGroups:
+    - ""
+    resourceNames:
+    - argocd-notifications-cm
+    resources:
+    - configmaps
+    verbs:
+    - get
+  {{- end }}
+  - apiGroups:
+    - ""
+    resourceNames:
+    - {{ .Values.notifications.secret.name }}
+    resources:
+    - secrets
+    verbs:
+    - get
 {{- end }}

charts/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml

@@ -11,6 +11,6 @@ roleRef:
   name: {{ include "argo-cd.notifications.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "argo-cd.notificationsServiceAccountName" . }}
+  name: {{ include "argo-cd.notifications.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "argo-cd.namespace" . }}
 {{- end }}

charts/argo-cd/templates/argocd-notifications/deployment.yaml

@@ -9,7 +9,7 @@ metadata:
     {{- end }}
   {{- end }}
   name: {{ include "argo-cd.notifications.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
 spec:
@@ -36,6 +36,9 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- with .Values.notifications.runtimeClassName | default .Values.global.runtimeClassName }}
+      runtimeClassName: {{ . }}
+      {{- end }}
       {{- with .Values.notifications.imagePullSecrets | default .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -54,7 +57,8 @@ spec:
       {{- if .Values.notifications.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ .Values.notifications.terminationGracePeriodSeconds }}
       {{- end }}
-      serviceAccountName: {{ include "argo-cd.notificationsServiceAccountName" . }}
+      serviceAccountName: {{ include "argo-cd.notifications.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.notifications.automountServiceAccountToken }}
       containers:
         - name: {{ .Values.notifications.name }}
           image: {{ default .Values.global.image.repository .Values.notifications.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.image.tag }}
@@ -64,8 +68,9 @@ spec:
             - --metrics-port={{ .Values.notifications.containerPorts.metrics }}
             - --loglevel={{ default .Values.global.logging.level .Values.notifications.logLevel }}
             - --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }}
-            - --namespace={{ .Release.Namespace }}
+            - --namespace={{ include "argo-cd.namespace" . }}
             - --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}
+            - --secret-name={{ .Values.notifications.secret.name }}
             {{- range .Values.notifications.extraArgs }}
             - {{ . | squote }}
             {{- end }}
@@ -91,6 +96,18 @@ spec:
                   key: application.namespaces
                   name: argocd-cmd-params-cm
                   optional: true
+            - name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED
+              valueFrom:
+                configMapKeyRef:
+                  key: notificationscontroller.selfservice.enabled
+                  name: argocd-cmd-params-cm
+                  optional: true
+            - name: ARGOCD_NOTIFICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
+              valueFrom:
+                configMapKeyRef:
+                  key: notificationscontroller.repo.server.plaintext
+                  name: argocd-cmd-params-cm
+                  optional: true
           {{- with .Values.notifications.extraEnvFrom }}
           envFrom:
             {{- toYaml . | nindent 12 }}
@@ -99,6 +116,26 @@ spec:
           - name: metrics
             containerPort: {{ .Values.notifications.containerPorts.metrics }}
             protocol: TCP
+          {{- if .Values.notifications.livenessProbe.enabled }}
+          livenessProbe:
+            tcpSocket:
+              port: metrics
+            initialDelaySeconds: {{ .Values.notifications.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.notifications.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.notifications.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.notifications.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.notifications.livenessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.notifications.readinessProbe.enabled }}
+          readinessProbe:
+            tcpSocket:
+              port: metrics
+            initialDelaySeconds: {{ .Values.notifications.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.notifications.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.notifications.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.notifications.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.notifications.readinessProbe.failureThreshold }}
+          {{- end }}
           resources:
             {{- toYaml .Values.notifications.resources | nindent 12 }}
           {{- with .Values.notifications.containerSecurityContext }}

charts/argo-cd/templates/argocd-notifications/metrics.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "argo-cd.notifications.fullname" . }}-metrics
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" "metrics") | nindent 4 }}
     {{- with .Values.notifications.metrics.service.labels }}
@@ -24,6 +24,7 @@ spec:
   {{- if and .Values.notifications.metrics.service.clusterIP (eq .Values.notifications.metrics.service.type "ClusterIP") }}
   clusterIP: {{ .Values.notifications.metrics.service.clusterIP }}
   {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   selector:
     {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }}
   ports:

charts/argo-cd/templates/argocd-notifications/networkpolicy.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
   name: {{ template "argo-cd.notifications.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
 spec:

charts/argo-cd/templates/argocd-notifications/pdb.yaml

@@ -3,7 +3,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "argo-cd.notifications.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
     {{- with .Values.notifications.pdb.labels }}

charts/argo-cd/templates/argocd-notifications/role.yaml

@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ template "argo-cd.notifications.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
 rules:
@@ -37,7 +37,7 @@ rules:
 - apiGroups:
   - ""
   resourceNames:
-  - argocd-notifications-secret
+  - {{ .Values.notifications.secret.name }}
   resources:
   - secrets
   verbs:

charts/argo-cd/templates/argocd-notifications/rolebinding.yaml

@@ -2,16 +2,16 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "argo-cd.notifications.fullname" . }}
+  name: {{ include "argo-cd.notifications.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "argo-cd.notifications.fullname" . }}
+  name: {{ include "argo-cd.notifications.fullname" . }}
 subjects:
   - kind: ServiceAccount
-    name: {{ template "argo-cd.notificationsServiceAccountName" . }}
+    name: {{ include "argo-cd.notifications.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ include "argo-cd.namespace" . }}
 {{- end }}

charts/argo-cd/templates/argocd-notifications/serviceaccount.yaml

@@ -3,17 +3,17 @@ apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.notifications.serviceAccount.automountServiceAccountToken }}
 metadata:
-  name: {{ template "argo-cd.notificationsServiceAccountName" . }}
+  name: {{ include "argo-cd.notifications.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
-{{- if .Values.notifications.serviceAccount.annotations }}
+  {{- with .Values.notifications.serviceAccount.annotations }}
   annotations:
-  {{- range $key, $value := .Values.notifications.serviceAccount.annotations }}
+    {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
-  {{- range $key, $value := .Values.notifications.serviceAccount.labels }}
+    {{- with .Values.notifications.serviceAccount.labels }}
-    {{ $key }}: {{ $value | quote }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

charts/argo-cd/templates/argocd-notifications/servicemonitor.yaml

@@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "argo-cd.notifications.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.notifications.metrics.serviceMonitor.namespace | quote }}
+  namespace: {{ default (include  "argo-cd.namespace" .) .Values.notifications.metrics.serviceMonitor.namespace | quote }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
     {{- with .Values.notifications.metrics.serviceMonitor.selector }}
@@ -41,9 +41,10 @@ spec:
       metricRelabelings:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      honorLabels: {{ .Values.notifications.metrics.serviceMonitor.honorLabels }}
   namespaceSelector:
     matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "argo-cd.namespace" . }}
   selector:
     matchLabels:
       {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.notifications.name "name" "metrics") | nindent 6 }}

charts/argo-cd/templates/argocd-repo-server/clusterrole.yaml

@@ -1,5 +1,4 @@
-{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
+{{- if and .Values.createClusterRoles .Values.repoServer.clusterRoleRules.enabled }}
-{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -7,8 +6,8 @@ metadata:
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 rules:
-  {{- if .Values.repoServer.clusterRoleRules.enabled }}
+  {{- with .Values.repoServer.clusterRoleRules.rules }}
-    {{- toYaml .Values.repoServer.clusterRoleRules.rules | nindent 2 }}
+    {{- toYaml . | nindent 2 }}
   {{- else }}
   - apiGroups:
     - '*'

charts/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml

@@ -1,5 +1,4 @@
-{{- $config := .Values.repoServer.clusterAdminAccess | default dict -}}
+{{- if and .Values.createClusterRoles .Values.repoServer.clusterRoleRules.enabled }}
-{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -12,6 +11,6 @@ roleRef:
   name: {{ include "argo-cd.repoServer.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "argo-cd.repoServerServiceAccountName" . }}
+  name: {{ include "argo-cd.repoServer.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "argo-cd.namespace" . }}
 {{- end }}

charts/argo-cd/templates/argocd-repo-server/deployment.yaml

@@ -8,7 +8,7 @@ metadata:
     {{- end }}
   {{- end }}
   name: {{ template "argo-cd.repoServer.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 spec:
@@ -30,7 +30,7 @@ spec:
         {{- if .Values.repoServer.certificateSecret.enabled }}
         checksum/repo-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-repo-server-tls-secret.yaml") . | sha256sum }}
         {{- end }}
-        {{- if (hasKey .Values.server "configEnabled") | ternary .Values.server.configEnabled .Values.configs.cm.create }}
+        {{- if .Values.configs.cm.create }}
         checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
         {{- end }}
         {{- if .Values.configs.cmp.create }}
@@ -47,6 +47,9 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- with .Values.repoServer.runtimeClassName | default .Values.global.runtimeClassName }}
+      runtimeClassName: {{ . }}
+      {{- end }}
       {{- with .Values.repoServer.imagePullSecrets | default .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -65,7 +68,8 @@ spec:
       {{- if .Values.repoServer.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ .Values.repoServer.terminationGracePeriodSeconds }}
       {{- end }}
-      serviceAccountName: {{ include "argo-cd.repoServerServiceAccountName" . }}
+      serviceAccountName: {{ include "argo-cd.repoServer.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.repoServer.automountServiceAccountToken }}
       containers:
       - name: {{ .Values.repoServer.name }}
         image: {{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}
@@ -74,14 +78,6 @@ spec:
         - /usr/local/bin/argocd-repo-server
         - --port={{ .Values.repoServer.containerPorts.server }}
         - --metrics-port={{ .Values.repoServer.containerPorts.metrics }}
-        {{- with .Values.repoServer.logFormat }}
-        - --logformat
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.repoServer.logLevel }}
-        - --loglevel
-        - {{ . | quote }}
-        {{- end }}
         {{- with .Values.repoServer.extraArgs }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -93,6 +89,8 @@ spec:
           - name: USER_NAME
             value: argocd
           {{- end }}
+          - name: ARGOCD_REPO_SERVER_NAME
+            value: {{ template "argo-cd.repoServer.fullname" . }}
           - name: ARGOCD_RECONCILIATION_TIMEOUT
             valueFrom:
               configMapKeyRef:
@@ -180,14 +178,30 @@ spec:
           - name: REDIS_USERNAME
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
                 key: redis-username
                 optional: true
           - name: REDIS_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
+                {{- if .Values.externalRedis.host }}
                 key: redis-password
+                {{- else }}
+                key: auth
+                {{- end }}
+                optional: true
+          - name: REDIS_SENTINEL_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                key: redis-sentinel-username
+                optional: true
+          - name: REDIS_SENTINEL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                key: redis-sentinel-password
                 optional: true
           - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
             valueFrom:
@@ -201,6 +215,18 @@ spec:
                 name: argocd-cmd-params-cm
                 key: otlp.address
                 optional: true
+          - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.insecure
+                optional: true
+          - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.headers
+                optional: true
           - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
             valueFrom:
               configMapKeyRef:
@@ -213,6 +239,12 @@ spec:
                 name: argocd-cmd-params-cm
                 key: reposerver.plugin.tar.exclusions
                 optional: true
+          - name: ARGOCD_REPO_SERVER_PLUGIN_USE_MANIFEST_GENERATE_PATHS
+            valueFrom:
+              configMapKeyRef:
+                key: reposerver.plugin.use.manifest.generate.paths
+                name: argocd-cmd-params-cm
+                optional: true
           - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
             valueFrom:
               configMapKeyRef:
@@ -249,6 +281,30 @@ spec:
                 key: reposerver.enable.git.submodule
                 name: argocd-cmd-params-cm
                 optional: true
+          - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
+            valueFrom:
+              configMapKeyRef:
+                key: reposerver.git.lsremote.parallelism.limit
+                name: argocd-cmd-params-cm
+                optional: true
+          - name: ARGOCD_GIT_REQUEST_TIMEOUT
+            valueFrom:
+              configMapKeyRef:
+                key: reposerver.git.request.timeout
+                name: argocd-cmd-params-cm
+                optional: true
+          - name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
+            valueFrom:
+              configMapKeyRef:
+                key: reposerver.revision.cache.lock.timeout
+                name: argocd-cmd-params-cm
+                optional: true
+          - name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
+            valueFrom:
+              configMapKeyRef:
+                key: reposerver.include.hidden.directories
+                name: argocd-cmd-params-cm
+                optional: true
           {{- if .Values.repoServer.useEphemeralHelmWorkingDir }}
           - name: HELM_CACHE_HOME
             value: /helm-working-dir
@@ -330,10 +386,8 @@ spec:
         image: {{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}
         imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}
         name: copyutil
-        {{- with .Values.repoServer.resources }}
         resources:
-          {{- toYaml . | nindent 10 }}
+          {{- toYaml .Values.repoServer.resources | nindent 10 }}
-        {{- end }}
         {{- with .Values.repoServer.containerSecurityContext }}
         securityContext:
           {{- toYaml . | nindent 10 }}
@@ -373,14 +427,50 @@ spec:
       {{- end }}
       {{- if .Values.repoServer.useEphemeralHelmWorkingDir }}
       - name: helm-working-dir
+        {{- if .Values.repoServer.existingVolumes.helmWorkingDir -}}
+        {{ toYaml .Values.repoServer.existingVolumes.helmWorkingDir | nindent 8  }}
+        {{- else }}
+          {{- if .Values.repoServer.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
+          {{- else }}
         emptyDir: {}
           {{- end }}
+        {{- end }}
+      {{- end }}
       - name: plugins
+        {{- if .Values.repoServer.existingVolumes.plugins -}}
+        {{ toYaml .Values.repoServer.existingVolumes.plugins | nindent 8  }}
+        {{- else }}
+          {{- if .Values.repoServer.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
+          {{- else }}
         emptyDir: {}
+          {{- end }}
+        {{- end }}
       - name: var-files
+        {{- if .Values.repoServer.existingVolumes.varFiles -}}
+        {{ toYaml .Values.repoServer.existingVolumes.varFiles | nindent 8  }}
+        {{- else }}
+          {{- if .Values.repoServer.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
+          {{- else }}
         emptyDir: {}
+          {{- end }}
+        {{- end }}
       - name: tmp
+        {{- if .Values.repoServer.existingVolumes.tmp -}}
+        {{ toYaml .Values.repoServer.existingVolumes.tmp | nindent 8  }}
+        {{- else }}
+          {{- if .Values.repoServer.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
+          {{- else }}
         emptyDir: {}
+          {{- end }}
+        {{- end }}
       - name: ssh-known-hosts
         configMap:
           name: argocd-ssh-known-hosts-cm
@@ -391,7 +481,16 @@ spec:
         configMap:
           name: argocd-gpg-keys-cm
       - name: gpg-keyring
+        {{- if .Values.repoServer.existingVolumes.gpgKeyring -}}
+        {{ toYaml .Values.repoServer.existingVolumes.gpgKeyring | nindent 8  }}
+        {{- else }}
+          {{- if .Values.repoServer.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
+          {{- else }}
         emptyDir: {}
+          {{- end }}
+        {{- end }}
       - name: argocd-repo-server-tls
         secret:
           secretName: argocd-repo-server-tls

charts/argo-cd/templates/argocd-repo-server/hpa.yaml

@@ -3,7 +3,7 @@ apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
   name: {{ include "argo-cd.repoServer.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 spec:

charts/argo-cd/templates/argocd-repo-server/metrics.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "argo-cd.repoServer.fullname" . }}-metrics
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" (printf "%s-metrics" .Values.repoServer.name)) | nindent 4 }}
     {{- with .Values.repoServer.metrics.service.labels }}
@@ -24,6 +24,7 @@ spec:
   {{- if and .Values.repoServer.metrics.service.clusterIP (eq .Values.repoServer.metrics.service.type "ClusterIP") }}
   clusterIP: {{ .Values.repoServer.metrics.service.clusterIP }}
   {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.repoServer.metrics.service.portName }}
     protocol: TCP

charts/argo-cd/templates/argocd-repo-server/networkpolicy.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
   name: {{ template "argo-cd.repoServer.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
 spec:
   ingress:
   - from:
@@ -20,11 +20,9 @@ spec:
         matchLabels:
           {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 10 }}
     {{- end }}
-    {{- if .Values.applicationSet.enabled }}
     - podSelector:
         matchLabels:
           {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 10 }}
-    {{- end }}
     ports:
     - port: repo-server
       protocol: TCP

charts/argo-cd/templates/argocd-repo-server/pdb.yaml

@@ -3,7 +3,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "argo-cd.repoServer.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
     {{- with .Values.repoServer.pdb.labels }}

charts/argo-cd/templates/argocd-repo-server/role.yaml

@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: {{ template "argo-cd.repoServer.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 rules:

charts/argo-cd/templates/argocd-repo-server/rolebinding.yaml

@@ -2,16 +2,16 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ template "argo-cd.repoServer.fullname" . }}
+  name: {{ include "argo-cd.repoServer.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: {{ template "argo-cd.repoServer.fullname" . }}
+  name: {{ include "argo-cd.repoServer.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ template "argo-cd.repoServerServiceAccountName" . }}
+  name: {{ include "argo-cd.repoServer.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "argo-cd.namespace" . }}
 {{- end }}

charts/argo-cd/templates/argocd-repo-server/service.yaml

@@ -13,8 +13,9 @@ metadata:
 {{- toYaml . | nindent 4 }}
 {{- end }}
   name: {{ template "argo-cd.repoServer.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
 spec:
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.repoServer.service.portName }}
     protocol: TCP

charts/argo-cd/templates/argocd-repo-server/serviceaccount.yaml

@@ -3,17 +3,17 @@ apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.repoServer.serviceAccount.automountServiceAccountToken }}
 metadata:
-  name: {{ template "argo-cd.repoServerServiceAccountName" . }}
+  name: {{ include "argo-cd.repoServer.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
-{{- if .Values.repoServer.serviceAccount.annotations }}
+  {{- with .Values.repoServer.serviceAccount.annotations }}
   annotations:
-  {{- range $key, $value := .Values.repoServer.serviceAccount.annotations }}
+    {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
-  {{- range $key, $value := .Values.repoServer.serviceAccount.labels }}
+    {{- with .Values.repoServer.serviceAccount.labels }}
-    {{ $key }}: {{ $value | quote }}
+      {{- toYaml . | nindent 4 }}
     {{- end }}
 {{- end }}

charts/argo-cd/templates/argocd-repo-server/servicemonitor.yaml

@@ -3,7 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ template "argo-cd.repoServer.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.repoServer.metrics.serviceMonitor.namespace | default }}
+  namespace: {{ default (include  "argo-cd.namespace" .) .Values.repoServer.metrics.serviceMonitor.namespace | quote }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
     {{- with .Values.repoServer.metrics.serviceMonitor.selector }}
@@ -22,6 +22,9 @@ spec:
       {{- with .Values.repoServer.metrics.serviceMonitor.interval }}
       interval: {{ . }}
       {{- end }}
+      {{- with .Values.repoServer.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
       path: /metrics
       {{- with .Values.repoServer.metrics.serviceMonitor.relabelings }}
       relabelings:
@@ -31,6 +34,7 @@ spec:
       metricRelabelings:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      honorLabels: {{ .Values.repoServer.metrics.serviceMonitor.honorLabels }}
       {{- with .Values.repoServer.metrics.serviceMonitor.scheme }}
       scheme: {{ . }}
       {{- end }}
@@ -40,7 +44,7 @@ spec:
       {{- end }}
   namespaceSelector:
     matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "argo-cd.namespace" . }}
   selector:
     matchLabels:
       {{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.repoServer.name "name" (printf "%s-metrics" .Values.repoServer.name)) | nindent 6 }}

charts/argo-cd/templates/argocd-server/aws/ingress.yaml

@@ -0,0 +1,71 @@
+{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "aws") }}
+{{- $insecure := index .Values.configs.params "server.insecure" | toString -}}
+{{- $servicePort := eq $insecure "true" | ternary .Values.server.service.servicePortHttp .Values.server.service.servicePortHttps -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "argo-cd.server.fullname" . }}
+  namespace: {{ include  "argo-cd.namespace" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
+    {{- with .Values.server.ingress.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    alb.ingress.kubernetes.io/conditions.{{ include "argo-cd.server.fullname" . }}-grpc: |
+      [{"field":"http-header","httpHeaderConfig":{"httpHeaderName": "Content-Type", "values":["application/grpc"]}}]
+    {{- range $key, $value := .Values.server.ingress.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+spec:
+  {{- with .Values.server.ingress.ingressClassName }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.server.ingress.hostname | default .Values.global.domain }}
+      http:
+        paths:
+          {{- with .Values.server.ingress.extraPaths }}
+            {{- tpl (toYaml .) $ | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.server.ingress.path }}
+            pathType: {{ $.Values.server.ingressGrpc.pathType }}
+            backend:
+              service:
+                name: {{ include "argo-cd.server.fullname" $ }}-grpc
+                port:
+                  number: {{ $servicePort }}
+          - path: {{ .Values.server.ingress.path }}
+            pathType: {{ $.Values.server.ingress.pathType }}
+            backend:
+              service:
+                name: {{ include "argo-cd.server.fullname" . }}
+                port:
+                  number: {{ $servicePort }}
+    {{- range .Values.server.ingress.extraHosts }}
+    - host: {{ .name | quote }}
+      http:
+        paths:
+          - path: {{ default $.Values.server.ingress.path .path }}
+            pathType: {{ default $.Values.server.ingress.pathType .pathType }}
+            backend:
+              service:
+                name: {{ include "argo-cd.server.fullname" $ }}
+                port:
+                  number: {{ $servicePort }}
+    {{- end }}
+    {{- with .Values.server.ingress.extraRules }}
+      {{- tpl (toYaml .) $ | nindent 4 }}
+    {{- end }}
+  {{- if or .Values.server.ingress.tls .Values.server.ingress.extraTls }}
+  tls:
+    {{- if .Values.server.ingress.tls }}
+    - hosts:
+      - {{ .Values.server.ingress.hostname | default .Values.global.domain }}
+      secretName: argocd-server-tls
+    {{- end }}
+    {{- with .Values.server.ingress.extraTls }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}

charts/argo-cd/templates/argocd-server/aws/service.yaml

@@ -1,14 +1,15 @@
-{{- if and .Values.server.ingressGrpc.enabled .Values.server.ingressGrpc.isAWSALB -}}
+{{- if and .Values.server.ingress.enabled (eq .Values.server.ingress.controller "aws") }}
 apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    alb.ingress.kubernetes.io/backend-protocol-version: {{ .Values.server.ingressGrpc.awsALB.backendProtocolVersion }}
+    alb.ingress.kubernetes.io/backend-protocol-version: {{ .Values.server.ingress.aws.backendProtocolVersion }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" (print .Values.server.name "-gprc") "name" (print .Values.server.name "-grpc")) | nindent 4 }}
   name: {{ template "argo-cd.server.fullname" . }}-grpc
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
 spec:
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.server.service.servicePortHttpName }}
     protocol: TCP
@@ -21,5 +22,5 @@ spec:
   selector:
     {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
   sessionAffinity: None
-  type: {{ .Values.server.ingressGrpc.awsALB.serviceType }}
+  type: {{ .Values.server.ingress.aws.serviceType }}
 {{- end -}}

charts/argo-cd/templates/argocd-server/certificate.yaml

@@ -9,14 +9,21 @@ metadata:
     {{- end }}
   {{- end }}
   name: {{ include "argo-cd.server.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 spec:
-  secretName: {{ .Values.server.certificate.secretName }}
+  {{- with .Values.server.certificate.secretTemplateAnnotations }}
-  commonName: {{ .Values.server.certificate.domain | quote }}
+  secretTemplate:
+    annotations:
+      {{- range $key, $value := . }}
+      {{ $key }}: {{ $value | quote }}
+      {{- end }}
+  {{- end }} 
+  secretName: argocd-server-tls
+  commonName: {{ .Values.server.certificate.domain | default .Values.global.domain }}
   dnsNames:
-    - {{ .Values.server.certificate.domain | quote }}
+    - {{ .Values.server.certificate.domain | default .Values.global.domain }}
     {{- range .Values.server.certificate.additionalHosts }}
     - {{ . | quote }}
     {{- end }}

charts/argo-cd/templates/argocd-server/clusterrole.yaml

@@ -1,5 +1,4 @@
-{{- $config := .Values.server.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
-{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -7,31 +6,32 @@ metadata:
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 rules:
+  {{- if .Values.server.clusterRoleRules.enabled }}
+    {{- toYaml .Values.server.clusterRoleRules.rules | nindent 2 }}
+  {{- else }}
   - apiGroups:
       - '*'
     resources:
       - '*'
     verbs:
-      - delete
+      - delete  # supports deletion a live object in UI
-      - get
+      - get     # supports viewing live object manifest in UI
-      - patch
+      - patch   # supports `argocd app patch`
   - apiGroups:
       - ""
     resources:
       - events
     verbs:
-      - list
+      - list    # supports listing events in UI
-      {{- if (index .Values.configs.params "application.namespaces") }}
       - create
-      {{- end }}
   - apiGroups:
       - ""
     resources:
       - pods
       - pods/log
     verbs:
-      - get
+      - get     # supports viewing pod logs from UI
-  {{- if eq (toString (index (coalesce .Values.server.config .Values.configs.cm) "exec.enabled")) "true" }}
+  {{- if eq (toString (index .Values.configs.cm "exec.enabled")) "true" }}
   - apiGroups:
       - ""
     resources:
@@ -49,6 +49,17 @@ rules:
       - list
       - update
       - watch
+  {{- if (index .Values.configs.params "application.namespaces") }}
+  - apiGroups:
+      - "argoproj.io"
+    resources:
+      - "applications"
+    verbs:
+      - create
+      - delete
+      - update
+      - patch
+  {{- end }}
   - apiGroups:
       - batch
     resources:
@@ -64,3 +75,4 @@ rules:
       {{/* supports triggering workflows from UI */}}
       - create
   {{- end }}
+{{- end }}

charts/argo-cd/templates/argocd-server/clusterrolebinding.yaml

@@ -1,5 +1,4 @@
-{{- $config := .Values.server.clusterAdminAccess | default dict -}}
+{{- if .Values.createClusterRoles }}
-{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -12,6 +11,6 @@ roleRef:
   name: {{ include "argo-cd.server.fullname" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ include "argo-cd.serverServiceAccountName" . }}
+  name: {{ include "argo-cd.server.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ include "argo-cd.namespace" . }}
 {{- end }}

charts/argo-cd/templates/argocd-server/deployment.yaml

@@ -8,7 +8,7 @@ metadata:
     {{- end }}
   {{- end }}
   name: {{ template "argo-cd.server.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
 spec:
@@ -27,6 +27,9 @@ spec:
     metadata:
       annotations:
         checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
+        {{- if .Values.configs.cm.create }}
+        checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
+        {{- end }}
         {{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.server.podAnnotations) }}
         {{- range $key, $value := . }}
         {{ $key }}: {{ $value | quote }}
@@ -38,6 +41,9 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- with .Values.server.runtimeClassName | default .Values.global.runtimeClassName }}
+      runtimeClassName: {{ . }}
+      {{- end }}
       {{- with .Values.server.imagePullSecrets | default .Values.global.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -56,7 +62,8 @@ spec:
       {{- if .Values.server.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }}
       {{- end }}
-      serviceAccountName: {{ include "argo-cd.serverServiceAccountName" . }}
+      serviceAccountName: {{ include "argo-cd.server.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.server.automountServiceAccountToken }}
       containers:
       - name: {{ .Values.server.name }}
         image: {{ default .Values.global.image.repository .Values.server.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.server.image.tag }}
@@ -65,14 +72,6 @@ spec:
         - /usr/local/bin/argocd-server
         - --port={{ .Values.server.containerPorts.server }}
         - --metrics-port={{ .Values.server.containerPorts.metrics }}
-        {{- with .Values.server.logFormat }}
-        - --logformat
-        - {{ . | quote }}
-        {{- end }}
-        {{- with .Values.server.logLevel }}
-        - --loglevel
-        - {{ . | quote }}
-        {{- end }}
         {{- with .Values.server.extraArgs }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -80,6 +79,8 @@ spec:
           {{- with (concat .Values.global.env .Values.server.env) }}
             {{- toYaml . | nindent 10 }}
           {{- end }}
+          - name: ARGOCD_SERVER_NAME
+            value: {{ template "argo-cd.server.fullname" . }}
           - name: ARGOCD_SERVER_INSECURE
             valueFrom:
               configMapKeyRef:
@@ -245,14 +246,30 @@ spec:
           - name: REDIS_USERNAME
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
                 key: redis-username
                 optional: true
           - name: REDIS_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
+                {{- if .Values.externalRedis.host }}
                 key: redis-password
+                {{- else }}
+                key: auth
+                {{- end }}
+                optional: true
+          - name: REDIS_SENTINEL_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                key: redis-sentinel-username
+                optional: true
+          - name: REDIS_SENTINEL_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                key: redis-sentinel-password
                 optional: true
           - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
             valueFrom:
@@ -284,6 +301,18 @@ spec:
                 name: argocd-cmd-params-cm
                 key: otlp.address
                 optional: true
+          - name: ARGOCD_SERVER_OTLP_INSECURE
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.insecure
+                optional: true
+          - name: ARGOCD_SERVER_OTLP_HEADERS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: otlp.headers
+                optional: true
           - name: ARGOCD_APPLICATION_NAMESPACES
             valueFrom:
               configMapKeyRef:
@@ -296,6 +325,60 @@ spec:
                 name: argocd-cmd-params-cm
                 key: server.enable.proxy.extension
                 optional: true
+          - name: ARGOCD_K8SCLIENT_RETRY_MAX
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: server.k8sclient.retry.max
+                optional: true
+          - name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: server.k8sclient.retry.base.backoff
+                optional: true
+          - name: ARGOCD_API_CONTENT_TYPES
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: server.api.content.types
+                optional: true
+          - name: ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: server.webhook.parallelism.limit
+                optional: true
+          - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
+            valueFrom:
+              configMapKeyRef:
+                key: applicationsetcontroller.enable.new.git.file.globbing
+                name: argocd-cmd-params-cm
+                optional: true
+          - name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
+            valueFrom:
+              configMapKeyRef:
+                key: applicationsetcontroller.scm.root.ca.path
+                name: argocd-cmd-params-cm
+                optional: true
+          - name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: applicationsetcontroller.allowed.scm.providers
+                optional: true
+          - name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: applicationsetcontroller.enable.scm.providers
+                optional: true
+          - name: ARGOCD_HYDRATOR_ENABLED
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: hydrator.enabled
+                optional: true
         {{- with .Values.server.envFrom }}
         envFrom:
           {{- toYaml . | nindent 10 }}
@@ -318,6 +401,8 @@ spec:
           name: styles
         - mountPath: /tmp
           name: tmp
+        - name: argocd-cmd-params-cm
+          mountPath: /home/argocd/params
         {{- if .Values.server.extensions.enabled }}
         - mountPath: /tmp/extensions
           name: extensions
@@ -415,12 +500,27 @@ spec:
       {{- end }}
       {{- if .Values.server.extensions.enabled }}
       - name: extensions
+        {{- if .Values.server.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.server.emptyDir.sizeLimit }}
+        {{- else }}
         emptyDir: {}
         {{- end }}
+      {{- end }}
       - name: plugins-home
+        {{- if .Values.server.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.server.emptyDir.sizeLimit }}
+        {{- else }}
         emptyDir: {}
+        {{- end }}
       - name: tmp
+        {{- if .Values.server.emptyDir.sizeLimit }}
+        emptyDir:
+          sizeLimit: {{ .Values.server.emptyDir.sizeLimit }}
+        {{- else }}
         emptyDir: {}
+        {{- end }}
       - name: ssh-known-hosts
         configMap:
           name: argocd-ssh-known-hosts-cm
@@ -451,6 +551,13 @@ spec:
             path: tls.crt
           - key: ca.crt
             path: ca.crt
+      - name: argocd-cmd-params-cm
+        configMap:
+          optional: true
+          name: argocd-cmd-params-cm
+          items:
+          - key: server.profile.enabled
+            path: profiler.enabled
       {{- if .Values.server.hostNetwork }}
       hostNetwork: {{ .Values.server.hostNetwork }}
       {{- end }}