argo-helm/charts/argo-workflows/values.yaml

images:
  # imagePullPolicy to apply to all containers
  pullPolicy: Always
  # Secrets with credentials to pull images from a private registry
  pullSecrets: []
  # - name: argo-pull-secret

init:
  # By default the installation will not set an explicit one, which will mean it uses `default` for the namespace the chart is
  # being deployed to.  In RBAC clusters, that will almost certainly fail.  See the NOTES: section of the readme for more info.
  serviceAccount: ""

createAggregateRoles: true

## String to partially override "argo-workflows.fullname" template
##
nameOverride:

## String to fully override "argo-workflows.fullname" template
##
fullnameOverride:

# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents,
# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy.
singleNamespace: false

workflow:
  namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created.
  serviceAccount:
    create: false # Specifies whether a service account should be created
    annotations: {}
    name: "argo-workflow" # Service account which is used to run workflows
  rbac:
    create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows

controller:
  image:
    registry: quay.io
    repository: argoproj/workflow-controller
    # Overrides the image tag whose default is the chart appVersion.
    tag: ""
  # parallelism dictates how many workflows can be running at the same time
  parallelism:
  # podAnnotations is an optional map of annotations to be applied to the controller Pods
  podAnnotations: {}
  # Optional labels to add to the controller pods
  podLabels: {}
  # SecurityContext to set on the controller pods
  podSecurityContext: {}
  # podPortName: http
  metricsConfig:
    enabled: false
    path: /metrics
    port: 9090
    servicePort: 8080
    servicePortName: metrics
  # the controller container's securityContext
  securityContext:
    readOnlyRootFilesystem: true
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
  persistence: {}
  # connectionPool:
  #   maxIdleConns: 100
  #   maxOpenConns: 0
  # # save the entire workflow into etcd and DB
  # nodeStatusOffLoad: false
  # # enable archiving of old workflows
  # archive: false
  # postgresql:
  #   host: localhost
  #   port: 5432
  #   database: postgres
  #   tableName: argo_workflows
  #   # the database secrets must be in the same namespace of the controller
  #   userNameSecret:
  #     name: argo-postgres-config
  #     key: username
  #   passwordSecret:
  #     name: argo-postgres-config
  #     key: password
  workflowDefaults: {} # Only valid for 2.7+
  #  spec:
  #    ttlStrategy:
  #      secondsAfterCompletion: 84600
  # workflowWorkers: 32
  # podWorkers: 32
  workflowRestrictions: {} # Only valid for 2.9+
  #  templateReferencing: Strict|Secure
  telemetryConfig:
    enabled: false
    path: /telemetry
    port: 8081
    servicePort: 8081
    servicePortName: telemetry
  serviceMonitor:
    enabled: false
    additionalLabels: {}
  serviceAccount:
    create: true
    name: ""
    # Annotations applied to created service account
    annotations: {}
  name: workflow-controller
  workflowNamespaces:
    - default
  containerRuntimeExecutor: docker
  instanceID:
    # `instanceID.enabled` configures the controller to filter workflow submissions
    # to only those which have a matching instanceID attribute.
    enabled: false
    # NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
    # or `instanceID.explicitID` must be defined.
    # useReleaseName: true
    # explicitID: unique-argo-controller-identifier
  logging:
    level: info
    globallevel: "0"
  serviceType: ClusterIP
  # Annotations to be applied to the controller Service
  serviceAnnotations: {}
  # Optional labels to add to the controller Service
  serviceLabels: {}
  # Source ranges to allow access to service from. Only applies to
  # service type `LoadBalancer`
  loadBalancerSourceRanges: []
  resources: {}

  ## Extra environment variables to provide to the controller container
  ## extraEnv:
  ##   - name: FOO
  ##     value: "bar"
  extraEnv: []

  # Extra arguments to be added to the controller
  extraArgs: []
  replicas: 1
  pdb:
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 1
  ## Node selectors and tolerations for server scheduling to nodes with taints
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  ##
  nodeSelector:
    kubernetes.io/os: linux
  tolerations: []
  affinity: {}
  # Leverage a PriorityClass to ensure your pods survive resource shortages
  # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  # PriorityClass: system-cluster-critical
  priorityClassName: ""
  # https://argoproj.github.io/argo-workflows/links/
  links: []
  clusterWorkflowTemplates:
    # Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
    enabled: true

# executor controls how the init and wait container should be customized
executor:
  image:
    registry: quay.io
    repository: argoproj/argoexec
    # Overrides the image tag whose default is the chart appVersion.
    tag: ""
  resources: {}
  # Adds environment variables for the executor.
  env: {}
  # sets security context for the executor container
  securityContext: {}

server:
  enabled: true
  # only updates base url of resources on client side,
  # it's expected that a proxy server rewrites the request URL and gets rid of this prefix
  # https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
  baseHref: /
  image:
    registry: quay.io
    repository: argoproj/argocli
    # Overrides the image tag whose default is the chart appVersion.
    tag: ""
  # optional map of annotations to be applied to the ui Pods
  podAnnotations: {}
  # Optional labels to add to the UI pods
  podLabels: {}
  # SecurityContext to set on the server pods
  podSecurityContext: {}
  securityContext:
    readOnlyRootFilesystem: false
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    capabilities:
      drop:
        - ALL
  name: server
  serviceType: ClusterIP
  servicePort: 2746
  # servicePortName: http
  serviceAccount:
    create: true
    name: ""
    annotations: {}
  # Annotations to be applied to the UI Service
  serviceAnnotations: {}
  # Optional labels to add to the UI Service
  serviceLabels: {}
  # Static IP address to assign to loadBalancer
  # service type `LoadBalancer`
  loadBalancerIP: ""
  # Source ranges to allow access to service from. Only applies to
  # service type `LoadBalancer`
  loadBalancerSourceRanges: []
  resources: {}
  replicas: 1
  pdb:
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 1
  ## Node selectors and tolerations for server scheduling to nodes with taints
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
  ##
  nodeSelector:
    kubernetes.io/os: linux
  tolerations: []
  affinity: {}
  # Leverage a PriorityClass to ensure your pods survive resource shortages
  # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  # PriorityClass: system-cluster-critical
  priorityClassName: ""

  # Run the argo server in "secure" mode. Configure this value instead of
  # "--secure" in extraArgs. See the following documentation for more details
  # on secure mode:
  # https://argoproj.github.io/argo-workflows/tls/
  secure: false

  ## Extra environment variables to provide to the argo-server container
  ## extraEnv:
  ##   - name: FOO
  ##     value: "bar"
  extraEnv: []

  # Extra arguments to provide to the Argo server binary.
  extraArgs: []

  ## Additional volumes to the server main container.
  volumeMounts: []
  volumes: []

  ## Ingress configuration.
  ## ref: https://kubernetes.io/docs/user-guide/ingress/
  ##
  ingress:
    enabled: false
    annotations: {}
    labels: {}
    ingressClassName: ""

    ## Argo Workflows Server Ingress.
    ## Hostnames must be provided if Ingress is enabled.
    ## Secrets must be manually created in the namespace
    ##
    hosts:
      []
      # - argocd.example.com
    paths:
      - /
    extraPaths:
      []
      # - path: /*
      #   backend:
      #     serviceName: ssl-redirect
      #     servicePort: use-annotation
      ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
      # - path: /*
      #   pathType: Prefix
      #   backend:
      #     service
      #       name: ssl-redirect
      #       port:
      #         name: use-annotation
    tls:
      []
      # - secretName: argocd-example-tls
      #   hosts:
      #     - argocd.example.com
    https: false

  clusterWorkflowTemplates:
    # Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
    enabled: true
    # Give the server permissions to edit ClusterWorkflowTemplates.
    enableEditing: true
  sso:
    ## SSO configuration when SSO is specified as a server auth mode.
    ## All the values are required. SSO is activated by adding --auth-mode=sso
    ## to the server command line.
    #
    ## The root URL of the OIDC identity provider.
    # issuer: https://accounts.google.com
    ## Name of a secret and a key in it to retrieve the app OIDC client ID from.
    # clientId:
    #   name: argo-server-sso
    #   key: client-id
    ## Name of a secret and a key in it to retrieve the app OIDC client secret from.
    # clientSecret:
    #   name: argo-server-sso
    #   key: client-secret
    ## The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
    # redirectUrl: https://argo/oauth2/callback
    # rbac:
    #   enabled: true
    ## When present, restricts secrets the server can read to a given list.
    ## You can use it to restrict the server to only be able to access the
    ## service account token secrets that are associated with service accounts
    ## used for authorization.
    #   secretWhitelist: []
    ## Scopes requested from the SSO ID provider.  The 'groups' scope requests
    ## group membership information, which is usually used for authorization
    ## decisions.
    # scopes:
    # - groups

# Influences the creation of the ConfigMap for the workflow-controller itself.
useDefaultArtifactRepo: false
useStaticCredentials: true
artifactRepository:
  # archiveLogs will archive the main container logs as an artifact
  archiveLogs: false
  s3:
    # Note the `key` attribute is not the actual secret, it's the PATH to
    # the contents in the associated secret, as defined by the `name` attribute.
    accessKeySecret:
      # name: <releaseName>-minio
      key: accesskey
    secretKeySecret:
      # name: <releaseName>-minio
      key: secretkey
    insecure: true
    # bucket:
    # endpoint:
    # region:
    # roleARN:
    # useSDKCreds: true
  # gcs:
  # bucket: <project>-argo
  # keyFormat: "{{workflow.namespace}}/{{workflow.name}}/"
  # serviceAccountKeySecret is a secret selector.
  # It references the k8s secret named 'my-gcs-credentials'.
  # This secret is expected to have have the key 'serviceAccountKey',
  # containing the base64 encoded credentials
  # to the bucket.
  #
  # If it's running on GKE and Workload Identity is used,
  # serviceAccountKeySecret is not needed.
  # serviceAccountKeySecret:
  # name: my-gcs-credentials
  # key: serviceAccountKey