332 lines
11 KiB
YAML
332 lines
11 KiB
YAML
|
images:
|
||
|
|
# imagePullPolicy to apply to all containers
|
||
|
|
pullPolicy: Always
|
||
|
|
# Secrets with credentials to pull images from a private registry
|
||
|
|
pullSecrets: []
|
||
|
|
# - name: argo-pull-secret
|
||
|
|
|
||
|
|
init:
|
||
|
|
# By default the installation will not set an explicit one, which will mean it uses `default` for the namespace the chart is
|
||
|
|
# being deployed to. In RBAC clusters, that will almost certainly fail. See the NOTES: section of the readme for more info.
|
||
|
|
serviceAccount: ""
|
||
|
|
|
||
|
|
createAggregateRoles: true
|
||
|
|
|
||
|
|
# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents,
|
||
|
|
# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy.
|
||
|
|
singleNamespace: false
|
||
|
|
|
||
|
|
workflow:
|
||
|
|
namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created.
|
||
|
|
serviceAccount:
|
||
|
|
create: false # Specifies whether a service account should be created
|
||
|
|
annotations: {}
|
||
|
|
name: "argo-workflow" # Service account which is used to run workflows
|
||
|
|
rbac:
|
||
|
|
create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows
|
||
|
|
|
||
|
|
controller:
|
||
|
|
image:
|
||
|
|
registry: quay.io
|
||
|
|
repository: argoproj/workflow-controller
|
||
|
|
# Overrides the image tag whose default is the chart appVersion.
|
||
|
|
tag: ""
|
||
|
|
# parallelism dictates how many workflows can be running at the same time
|
||
|
|
parallelism:
|
||
|
|
# podAnnotations is an optional map of annotations to be applied to the controller Pods
|
||
|
|
podAnnotations: {}
|
||
|
|
# Optional labels to add to the controller pods
|
||
|
|
podLabels: {}
|
||
|
|
# SecurityContext to set on the controller pods
|
||
|
|
podSecurityContext: {}
|
||
|
|
# podPortName: http
|
||
|
|
metricsConfig:
|
||
|
|
enabled: false
|
||
|
|
path: /metrics
|
||
|
|
port: 9090
|
||
|
|
servicePort: 8080
|
||
|
|
servicePortName: metrics
|
||
|
|
# the controller container's securityContext
|
||
|
|
securityContext:
|
||
|
|
readOnlyRootFilesystem: true
|
||
|
|
runAsNonRoot: true
|
||
|
|
allowPrivilegeEscalation: false
|
||
|
|
capabilities:
|
||
|
|
drop:
|
||
|
|
- ALL
|
||
|
|
persistence: {}
|
||
|
|
# connectionPool:
|
||
|
|
# maxIdleConns: 100
|
||
|
|
# maxOpenConns: 0
|
||
|
|
# # save the entire workflow into etcd and DB
|
||
|
|
# nodeStatusOffLoad: false
|
||
|
|
# # enable archiving of old workflows
|
||
|
|
# archive: false
|
||
|
|
# postgresql:
|
||
|
|
# host: localhost
|
||
|
|
# port: 5432
|
||
|
|
# database: postgres
|
||
|
|
# tableName: argo_workflows
|
||
|
|
# # the database secrets must be in the same namespace of the controller
|
||
|
|
# userNameSecret:
|
||
|
|
# name: argo-postgres-config
|
||
|
|
# key: username
|
||
|
|
# passwordSecret:
|
||
|
|
# name: argo-postgres-config
|
||
|
|
# key: password
|
||
|
|
workflowDefaults: {} # Only valid for 2.7+
|
||
|
|
# spec:
|
||
|
|
# ttlStrategy:
|
||
|
|
# secondsAfterCompletion: 84600
|
||
|
|
# workflowWorkers: 32
|
||
|
|
# podWorkers: 32
|
||
|
|
workflowRestrictions: {} # Only valid for 2.9+
|
||
|
|
# templateReferencing: Strict|Secure
|
||
|
|
telemetryConfig:
|
||
|
|
enabled: false
|
||
|
|
path: /telemetry
|
||
|
|
port: 8081
|
||
|
|
servicePort: 8081
|
||
|
|
servicePortName: telemetry
|
||
|
|
serviceMonitor:
|
||
|
|
enabled: false
|
||
|
|
additionalLabels: {}
|
||
|
|
serviceAccount:
|
||
|
|
create: true
|
||
|
|
name: argo
|
||
|
|
# Annotations applied to created service account
|
||
|
|
annotations: {}
|
||
|
|
name: workflow-controller
|
||
|
|
workflowNamespaces:
|
||
|
|
- default
|
||
|
|
containerRuntimeExecutor: docker
|
||
|
|
instanceID:
|
||
|
|
# `instanceID.enabled` configures the controller to filter workflow submissions
|
||
|
|
# to only those which have a matching instanceID attribute.
|
||
|
|
enabled: false
|
||
|
|
# NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
|
||
|
|
# or `instanceID.explicitID` must be defined.
|
||
|
|
# useReleaseName: true
|
||
|
|
# explicitID: unique-argo-controller-identifier
|
||
|
|
logging:
|
||
|
|
level: info
|
||
|
|
globallevel: "0"
|
||
|
|
serviceType: ClusterIP
|
||
|
|
# Annotations to be applied to the controller Service
|
||
|
|
serviceAnnotations: {}
|
||
|
|
# Optional labels to add to the controller Service
|
||
|
|
serviceLabels: {}
|
||
|
|
# Source ranges to allow access to service from. Only applies to
|
||
|
|
# service type `LoadBalancer`
|
||
|
|
loadBalancerSourceRanges: []
|
||
|
|
resources: {}
|
||
|
|
# The list of environment variable definitions to be added to the controller
|
||
|
|
# manages container verbatim.
|
||
|
|
extraEnv: []
|
||
|
|
# Extra arguments to be added to the controller
|
||
|
|
extraArgs: []
|
||
|
|
replicas: 1
|
||
|
|
pdb:
|
||
|
|
enabled: false
|
||
|
|
# minAvailable: 1
|
||
|
|
# maxUnavailable: 1
|
||
|
|
## Node selectors and tolerations for server scheduling to nodes with taints
|
||
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
|
||
|
|
##
|
||
|
|
nodeSelector:
|
||
|
|
kubernetes.io/os: linux
|
||
|
|
tolerations: []
|
||
|
|
affinity: {}
|
||
|
|
# Leverage a PriorityClass to ensure your pods survive resource shortages
|
||
|
|
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
|
||
|
|
# PriorityClass: system-cluster-critical
|
||
|
|
priorityClassName: ""
|
||
|
|
# https://argoproj.github.io/argo-workflows/links/
|
||
|
|
links: []
|
||
|
|
|
||
|
|
# executor controls how the init and wait container should be customized
|
||
|
|
executor:
|
||
|
|
image:
|
||
|
|
registry: quay.io
|
||
|
|
repository: argoproj/argoexec
|
||
|
|
# Overrides the image tag whose default is the chart appVersion.
|
||
|
|
tag: ""
|
||
|
|
resources: {}
|
||
|
|
# Adds environment variables for the executor.
|
||
|
|
env: {}
|
||
|
|
# sets security context for the executor container
|
||
|
|
securityContext: {}
|
||
|
|
|
||
|
|
server:
|
||
|
|
enabled: true
|
||
|
|
# only updates base url of resources on client side,
|
||
|
|
# it's expected that a proxy server rewrites the request URL and gets rid of this prefix
|
||
|
|
# https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
|
||
|
|
baseHref: /
|
||
|
|
image:
|
||
|
|
registry: quay.io
|
||
|
|
repository: argoproj/argocli
|
||
|
|
# Overrides the image tag whose default is the chart appVersion.
|
||
|
|
tag: ""
|
||
|
|
# optional map of annotations to be applied to the ui Pods
|
||
|
|
podAnnotations: {}
|
||
|
|
# Optional labels to add to the UI pods
|
||
|
|
podLabels: {}
|
||
|
|
# SecurityContext to set on the server pods
|
||
|
|
podSecurityContext: {}
|
||
|
|
securityContext:
|
||
|
|
readOnlyRootFilesystem: false
|
||
|
|
runAsNonRoot: true
|
||
|
|
allowPrivilegeEscalation: false
|
||
|
|
capabilities:
|
||
|
|
drop:
|
||
|
|
- ALL
|
||
|
|
name: server
|
||
|
|
serviceType: ClusterIP
|
||
|
|
servicePort: 2746
|
||
|
|
# servicePortName: http
|
||
|
|
serviceAccount:
|
||
|
|
create: true
|
||
|
|
name: argo-server
|
||
|
|
annotations: {}
|
||
|
|
# Annotations to be applied to the UI Service
|
||
|
|
serviceAnnotations: {}
|
||
|
|
# Optional labels to add to the UI Service
|
||
|
|
serviceLabels: {}
|
||
|
|
# Static IP address to assign to loadBalancer
|
||
|
|
# service type `LoadBalancer`
|
||
|
|
loadBalancerIP: ""
|
||
|
|
# Source ranges to allow access to service from. Only applies to
|
||
|
|
# service type `LoadBalancer`
|
||
|
|
loadBalancerSourceRanges: []
|
||
|
|
resources: {}
|
||
|
|
replicas: 1
|
||
|
|
pdb:
|
||
|
|
enabled: false
|
||
|
|
# minAvailable: 1
|
||
|
|
# maxUnavailable: 1
|
||
|
|
## Node selectors and tolerations for server scheduling to nodes with taints
|
||
|
|
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
|
||
|
|
##
|
||
|
|
nodeSelector:
|
||
|
|
kubernetes.io/os: linux
|
||
|
|
tolerations: []
|
||
|
|
affinity: {}
|
||
|
|
# Leverage a PriorityClass to ensure your pods survive resource shortages
|
||
|
|
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
|
||
|
|
# PriorityClass: system-cluster-critical
|
||
|
|
priorityClassName: ""
|
||
|
|
|
||
|
|
# Run the argo server in "secure" mode. Configure this value instead of
|
||
|
|
# "--secure" in extraArgs. See the following documentation for more details
|
||
|
|
# on secure mode:
|
||
|
|
# https://argoproj.github.io/argo-workflows/tls/
|
||
|
|
secure: false
|
||
|
|
|
||
|
|
# Extra arguments to provide to the Argo server binary.
|
||
|
|
extraArgs: []
|
||
|
|
|
||
|
|
## Additional volumes to the server main container.
|
||
|
|
volumeMounts: []
|
||
|
|
volumes: []
|
||
|
|
|
||
|
|
## Ingress configuration.
|
||
|
|
## ref: https://kubernetes.io/docs/user-guide/ingress/
|
||
|
|
##
|
||
|
|
ingress:
|
||
|
|
enabled: false
|
||
|
|
annotations: {}
|
||
|
|
labels: {}
|
||
|
|
ingressClassName: ""
|
||
|
|
|
||
|
|
## Argo Workflows Server Ingress.
|
||
|
|
## Hostnames must be provided if Ingress is enabled.
|
||
|
|
## Secrets must be manually created in the namespace
|
||
|
|
##
|
||
|
|
hosts:
|
||
|
|
[]
|
||
|
|
# - argocd.example.com
|
||
|
|
paths:
|
||
|
|
- /
|
||
|
|
extraPaths:
|
||
|
|
[]
|
||
|
|
# - path: /*
|
||
|
|
# backend:
|
||
|
|
# serviceName: ssl-redirect
|
||
|
|
# servicePort: use-annotation
|
||
|
|
tls:
|
||
|
|
[]
|
||
|
|
# - secretName: argocd-example-tls
|
||
|
|
# hosts:
|
||
|
|
# - argocd.example.com
|
||
|
|
https: false
|
||
|
|
|
||
|
|
clusterWorkflowTemplates:
|
||
|
|
# Give the server permissions to edit ClusterWorkflowTemplates.
|
||
|
|
enableEditing: true
|
||
|
|
sso:
|
||
|
|
## SSO configuration when SSO is specified as a server auth mode.
|
||
|
|
## All the values are required. SSO is activated by adding --auth-mode=sso
|
||
|
|
## to the server command line.
|
||
|
|
#
|
||
|
|
## The root URL of the OIDC identity provider.
|
||
|
|
# issuer: https://accounts.google.com
|
||
|
|
## Name of a secret and a key in it to retrieve the app OIDC client ID from.
|
||
|
|
# clientId:
|
||
|
|
# name: argo-server-sso
|
||
|
|
# key: client-id
|
||
|
|
## Name of a secret and a key in it to retrieve the app OIDC client secret from.
|
||
|
|
# clientSecret:
|
||
|
|
# name: argo-server-sso
|
||
|
|
# key: client-secret
|
||
|
|
## The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
|
||
|
|
# redirectUrl: https://argo/oauth2/callback
|
||
|
|
# rbac:
|
||
|
|
# enabled: true
|
||
|
|
## When present, restricts secrets the server can read to a given list.
|
||
|
|
## You can use it to restrict the server to only be able to access the
|
||
|
|
## service account token secrets that are associated with service accounts
|
||
|
|
## used for authorization.
|
||
|
|
# secretWhitelist: []
|
||
|
|
## Scopes requested from the SSO ID provider. The 'groups' scope requests
|
||
|
|
## group membership information, which is usually used for authorization
|
||
|
|
## decisions.
|
||
|
|
# scopes:
|
||
|
|
# - groups
|
||
|
|
|
||
|
|
# Influences the creation of the ConfigMap for the workflow-controller itself.
|
||
|
|
useDefaultArtifactRepo: false
|
||
|
|
useStaticCredentials: true
|
||
|
|
artifactRepository:
|
||
|
|
# archiveLogs will archive the main container logs as an artifact
|
||
|
|
archiveLogs: false
|
||
|
|
s3:
|
||
|
|
# Note the `key` attribute is not the actual secret, it's the PATH to
|
||
|
|
# the contents in the associated secret, as defined by the `name` attribute.
|
||
|
|
accessKeySecret:
|
||
|
|
# name: <releaseName>-minio
|
||
|
|
key: accesskey
|
||
|
|
secretKeySecret:
|
||
|
|
# name: <releaseName>-minio
|
||
|
|
key: secretkey
|
||
|
|
insecure: true
|
||
|
|
# bucket:
|
||
|
|
# endpoint:
|
||
|
|
# region:
|
||
|
|
# roleARN:
|
||
|
|
# useSDKCreds: true
|
||
|
|
# gcs:
|
||
|
|
# bucket: <project>-argo
|
||
|
|
# keyFormat: "{{workflow.namespace}}/{{workflow.name}}/"
|
||
|
|
# serviceAccountKeySecret is a secret selector.
|
||
|
|
# It references the k8s secret named 'my-gcs-credentials'.
|
||
|
|
# This secret is expected to have have the key 'serviceAccountKey',
|
||
|
|
# containing the base64 encoded credentials
|
||
|
|
# to the bucket.
|
||
|
|
#
|
||
|
|
# If it's running on GKE and Workload Identity is used,
|
||
|
|
# serviceAccountKeySecret is not needed.
|
||
|
|
# serviceAccountKeySecret:
|
||
|
|
# name: my-gcs-credentials
|
||
|
|
# key: serviceAccountKey
|