feat(argo-workflows): added new argo-workflows chart and deprecated argo chart (#668)

* feat: added new argo-workflows chart and deprecated argo chart Signed-off-by: chgl <chgl@users.noreply.github.com> * fix: removed maintainers from deprecated argo chart Signed-off-by: chgl <chgl@users.noreply.github.com> * docs: rm pullPolicy from snippet since the global images.pullPolicy is actually used Signed-off-by: chgl <chgl@users.noreply.github.com> * use Chart.AppVersion as the default image tag Signed-off-by: chgl <chgl@users.noreply.github.com> * updated various links Signed-off-by: chgl <chgl@users.noreply.github.com> * enabled metrics endpoint and liveness probe by default Signed-off-by: chgl <chgl@users.noreply.github.com> * fix: use new-style labels Signed-off-by: chgl <chgl@users.noreply.github.com> * fix: set securitycontext for server to something more secure Signed-off-by: chgl <chgl@users.noreply.github.com> * Update charts/argo-workflows/templates/_helpers.tpl Signed-off-by: chgl <chgl@users.noreply.github.com> Co-authored-by: Brandon Mayfield <563214+bmayfi3ld@users.noreply.github.com> Signed-off-by: chgl <chgl@users.noreply.github.com> * bumped argo chart version Signed-off-by: chgl <chgl@users.noreply.github.com> * Update charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com> Signed-off-by: chgl <chgl@users.noreply.github.com> * Update charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com> Signed-off-by: chgl <chgl@users.noreply.github.com> * Update charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com> Signed-off-by: chgl <chgl@users.noreply.github.com> * Update charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com> Signed-off-by: chgl <chgl@users.noreply.github.com> * Update charts/argo-workflows/templates/controller/workflow-controller-service.yaml Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com> Signed-off-by: chgl <chgl@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Brandon Mayfield <563214+bmayfi3ld@users.noreply.github.com> Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com> Signed-off-by: chgl <chgl@users.noreply.github.com> * used ingress from argo-cd Signed-off-by: chgl <chgl@users.noreply.github.com> * Update charts/argo-workflows/templates/server/server-deployment.yaml Signed-off-by: chgl <chgl@users.noreply.github.com> Co-authored-by: Brandon Mayfield <mayfield.brandon.a@gmail.com> * updated argo-wf to v3.0.2 Signed-off-by: chgl <chgl@users.noreply.github.com> * aligned serviceAccount configuration with argo-cd values Signed-off-by: chgl <chgl@users.noreply.github.com> * docs: updated breaking changes in README Signed-off-by: chgl <chgl@users.noreply.github.com> * fix: use .Capabilities.APIVersions.Has in Ingress template Signed-off-by: chgl <chgl@users.noreply.github.com> Co-authored-by: Brandon Mayfield <563214+bmayfi3ld@users.noreply.github.com> Co-authored-by: Oliver Bähler <oliverbaehler@hotmail.com> Co-authored-by: Brandon Mayfield <mayfield.brandon.a@gmail.com>
2021-05-21 14:19:05 +02:00 · 2021-05-21 14:19:05 +02:00 · 82b655dadc
commit 82b655dadc
parent 70234a635e
35 changed files with 1789 additions and 6 deletions
--- a/charts/argo-workflows/values.yaml
+++ b/charts/argo-workflows/values.yaml
@ -0,0 +1,331 @@
+images:
+  # imagePullPolicy to apply to all containers
+  pullPolicy: Always
+  # Secrets with credentials to pull images from a private registry
+  pullSecrets: []
+  # - name: argo-pull-secret
+
+init:
+  # By default the installation will not set an explicit one, which will mean it uses `default` for the namespace the chart is
+  # being deployed to.  In RBAC clusters, that will almost certainly fail.  See the NOTES: section of the readme for more info.
+  serviceAccount: ""
+
+createAggregateRoles: true
+
+# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents,
+# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy.
+singleNamespace: false
+
+workflow:
+  namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created.
+  serviceAccount:
+    create: false # Specifies whether a service account should be created
+    annotations: {}
+    name: "argo-workflow" # Service account which is used to run workflows
+  rbac:
+    create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows
+
+controller:
+  image:
+    registry: quay.io
+    repository: argoproj/workflow-controller
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+  # parallelism dictates how many workflows can be running at the same time
+  parallelism:
+  # podAnnotations is an optional map of annotations to be applied to the controller Pods
+  podAnnotations: {}
+  # Optional labels to add to the controller pods
+  podLabels: {}
+  # SecurityContext to set on the controller pods
+  podSecurityContext: {}
+  # podPortName: http
+  metricsConfig:
+    enabled: false
+    path: /metrics
+    port: 9090
+    servicePort: 8080
+    servicePortName: metrics
+  # the controller container's securityContext
+  securityContext:
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+  persistence: {}
+  # connectionPool:
+  #   maxIdleConns: 100
+  #   maxOpenConns: 0
+  # # save the entire workflow into etcd and DB
+  # nodeStatusOffLoad: false
+  # # enable archiving of old workflows
+  # archive: false
+  # postgresql:
+  #   host: localhost
+  #   port: 5432
+  #   database: postgres
+  #   tableName: argo_workflows
+  #   # the database secrets must be in the same namespace of the controller
+  #   userNameSecret:
+  #     name: argo-postgres-config
+  #     key: username
+  #   passwordSecret:
+  #     name: argo-postgres-config
+  #     key: password
+  workflowDefaults: {} # Only valid for 2.7+
+  #  spec:
+  #    ttlStrategy:
+  #      secondsAfterCompletion: 84600
+  # workflowWorkers: 32
+  # podWorkers: 32
+  workflowRestrictions: {} # Only valid for 2.9+
+  #  templateReferencing: Strict|Secure
+  telemetryConfig:
+    enabled: false
+    path: /telemetry
+    port: 8081
+    servicePort: 8081
+    servicePortName: telemetry
+  serviceMonitor:
+    enabled: false
+    additionalLabels: {}
+  serviceAccount:
+    create: true
+    name: argo
+    # Annotations applied to created service account
+    annotations: {}
+  name: workflow-controller
+  workflowNamespaces:
+    - default
+  containerRuntimeExecutor: docker
+  instanceID:
+    # `instanceID.enabled` configures the controller to filter workflow submissions
+    # to only those which have a matching instanceID attribute.
+    enabled: false
+    # NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
+    # or `instanceID.explicitID` must be defined.
+    # useReleaseName: true
+    # explicitID: unique-argo-controller-identifier
+  logging:
+    level: info
+    globallevel: "0"
+  serviceType: ClusterIP
+  # Annotations to be applied to the controller Service
+  serviceAnnotations: {}
+  # Optional labels to add to the controller Service
+  serviceLabels: {}
+  # Source ranges to allow access to service from. Only applies to
+  # service type `LoadBalancer`
+  loadBalancerSourceRanges: []
+  resources: {}
+  # The list of environment variable definitions to be added to the controller
+  # manages container verbatim.
+  extraEnv: []
+  # Extra arguments to be added to the controller
+  extraArgs: []
+  replicas: 1
+  pdb:
+    enabled: false
+    # minAvailable: 1
+    # maxUnavailable: 1
+  ## Node selectors and tolerations for server scheduling to nodes with taints
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+  ##
+  nodeSelector:
+    kubernetes.io/os: linux
+  tolerations: []
+  affinity: {}
+  # Leverage a PriorityClass to ensure your pods survive resource shortages
+  # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+  # PriorityClass: system-cluster-critical
+  priorityClassName: ""
+  # https://argoproj.github.io/argo-workflows/links/
+  links: []
+
+# executor controls how the init and wait container should be customized
+executor:
+  image:
+    registry: quay.io
+    repository: argoproj/argoexec
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+  resources: {}
+  # Adds environment variables for the executor.
+  env: {}
+  # sets security context for the executor container
+  securityContext: {}
+
+server:
+  enabled: true
+  # only updates base url of resources on client side,
+  # it's expected that a proxy server rewrites the request URL and gets rid of this prefix
+  # https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
+  baseHref: /
+  image:
+    registry: quay.io
+    repository: argoproj/argocli
+    # Overrides the image tag whose default is the chart appVersion.
+    tag: ""
+  # optional map of annotations to be applied to the ui Pods
+  podAnnotations: {}
+  # Optional labels to add to the UI pods
+  podLabels: {}
+  # SecurityContext to set on the server pods
+  podSecurityContext: {}
+  securityContext:
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+  name: server
+  serviceType: ClusterIP
+  servicePort: 2746
+  # servicePortName: http
+  serviceAccount:
+    create: true
+    name: argo-server
+    annotations: {}
+  # Annotations to be applied to the UI Service
+  serviceAnnotations: {}
+  # Optional labels to add to the UI Service
+  serviceLabels: {}
+  # Static IP address to assign to loadBalancer
+  # service type `LoadBalancer`
+  loadBalancerIP: ""
+  # Source ranges to allow access to service from. Only applies to
+  # service type `LoadBalancer`
+  loadBalancerSourceRanges: []
+  resources: {}
+  replicas: 1
+  pdb:
+    enabled: false
+    # minAvailable: 1
+    # maxUnavailable: 1
+  ## Node selectors and tolerations for server scheduling to nodes with taints
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+  ##
+  nodeSelector:
+    kubernetes.io/os: linux
+  tolerations: []
+  affinity: {}
+  # Leverage a PriorityClass to ensure your pods survive resource shortages
+  # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
+  # PriorityClass: system-cluster-critical
+  priorityClassName: ""
+
+  # Run the argo server in "secure" mode. Configure this value instead of
+  # "--secure" in extraArgs. See the following documentation for more details
+  # on secure mode:
+  # https://argoproj.github.io/argo-workflows/tls/
+  secure: false
+
+  # Extra arguments to provide to the Argo server binary.
+  extraArgs: []
+
+  ## Additional volumes to the server main container.
+  volumeMounts: []
+  volumes: []
+
+  ## Ingress configuration.
+  ## ref: https://kubernetes.io/docs/user-guide/ingress/
+  ##
+  ingress:
+    enabled: false
+    annotations: {}
+    labels: {}
+    ingressClassName: ""
+
+    ## Argo Workflows Server Ingress.
+    ## Hostnames must be provided if Ingress is enabled.
+    ## Secrets must be manually created in the namespace
+    ##
+    hosts:
+      []
+      # - argocd.example.com
+    paths:
+      - /
+    extraPaths:
+      []
+      # - path: /*
+      #   backend:
+      #     serviceName: ssl-redirect
+      #     servicePort: use-annotation
+    tls:
+      []
+      # - secretName: argocd-example-tls
+      #   hosts:
+      #     - argocd.example.com
+    https: false
+
+  clusterWorkflowTemplates:
+    # Give the server permissions to edit ClusterWorkflowTemplates.
+    enableEditing: true
+  sso:
+    ## SSO configuration when SSO is specified as a server auth mode.
+    ## All the values are required. SSO is activated by adding --auth-mode=sso
+    ## to the server command line.
+    #
+    ## The root URL of the OIDC identity provider.
+    # issuer: https://accounts.google.com
+    ## Name of a secret and a key in it to retrieve the app OIDC client ID from.
+    # clientId:
+    #   name: argo-server-sso
+    #   key: client-id
+    ## Name of a secret and a key in it to retrieve the app OIDC client secret from.
+    # clientSecret:
+    #   name: argo-server-sso
+    #   key: client-secret
+    ## The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
+    # redirectUrl: https://argo/oauth2/callback
+    # rbac:
+    #   enabled: true
+    ## When present, restricts secrets the server can read to a given list.
+    ## You can use it to restrict the server to only be able to access the
+    ## service account token secrets that are associated with service accounts
+    ## used for authorization.
+    #   secretWhitelist: []
+    ## Scopes requested from the SSO ID provider.  The 'groups' scope requests
+    ## group membership information, which is usually used for authorization
+    ## decisions.
+    # scopes:
+    # - groups
+
+# Influences the creation of the ConfigMap for the workflow-controller itself.
+useDefaultArtifactRepo: false
+useStaticCredentials: true
+artifactRepository:
+  # archiveLogs will archive the main container logs as an artifact
+  archiveLogs: false
+  s3:
+    # Note the `key` attribute is not the actual secret, it's the PATH to
+    # the contents in the associated secret, as defined by the `name` attribute.
+    accessKeySecret:
+      # name: <releaseName>-minio
+      key: accesskey
+    secretKeySecret:
+      # name: <releaseName>-minio
+      key: secretkey
+    insecure: true
+    # bucket:
+    # endpoint:
+    # region:
+    # roleARN:
+    # useSDKCreds: true
+  # gcs:
+  # bucket: <project>-argo
+  # keyFormat: "{{workflow.namespace}}/{{workflow.name}}/"
+  # serviceAccountKeySecret is a secret selector.
+  # It references the k8s secret named 'my-gcs-credentials'.
+  # This secret is expected to have have the key 'serviceAccountKey',
+  # containing the base64 encoded credentials
+  # to the bucket.
+  #
+  # If it's running on GKE and Workload Identity is used,
+  # serviceAccountKeySecret is not needed.
+  # serviceAccountKeySecret:
+  # name: my-gcs-credentials
+  # key: serviceAccountKey