From 82b655dadcaba8aad895465b0033ba26aed170da Mon Sep 17 00:00:00 2001 From: chgl Date: Fri, 21 May 2021 14:19:05 +0200 Subject: [PATCH] feat(argo-workflows): added new argo-workflows chart and deprecated argo chart (#668) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat: added new argo-workflows chart and deprecated argo chart Signed-off-by: chgl * fix: removed maintainers from deprecated argo chart Signed-off-by: chgl * docs: rm pullPolicy from snippet since the global images.pullPolicy is actually used Signed-off-by: chgl * use Chart.AppVersion as the default image tag Signed-off-by: chgl * updated various links Signed-off-by: chgl * enabled metrics endpoint and liveness probe by default Signed-off-by: chgl * fix: use new-style labels Signed-off-by: chgl * fix: set securitycontext for server to something more secure Signed-off-by: chgl * Update charts/argo-workflows/templates/_helpers.tpl Signed-off-by: chgl Co-authored-by: Brandon Mayfield <563214+bmayfi3ld@users.noreply.github.com> Signed-off-by: chgl * bumped argo chart version Signed-off-by: chgl * Update charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Co-authored-by: Oliver Bähler Signed-off-by: chgl * Update charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Co-authored-by: Oliver Bähler Signed-off-by: chgl * Update charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Co-authored-by: Oliver Bähler Signed-off-by: chgl * Update charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml Co-authored-by: Oliver Bähler Signed-off-by: chgl * Update charts/argo-workflows/templates/controller/workflow-controller-service.yaml Co-authored-by: Oliver Bähler Signed-off-by: chgl * Apply suggestions from code review Co-authored-by: Brandon Mayfield <563214+bmayfi3ld@users.noreply.github.com> Co-authored-by: Oliver Bähler Signed-off-by: chgl * used ingress from argo-cd Signed-off-by: chgl * Update charts/argo-workflows/templates/server/server-deployment.yaml Signed-off-by: chgl Co-authored-by: Brandon Mayfield * updated argo-wf to v3.0.2 Signed-off-by: chgl * aligned serviceAccount configuration with argo-cd values Signed-off-by: chgl * docs: updated breaking changes in README Signed-off-by: chgl * fix: use .Capabilities.APIVersions.Has in Ingress template Signed-off-by: chgl Co-authored-by: Brandon Mayfield <563214+bmayfi3ld@users.noreply.github.com> Co-authored-by: Oliver Bähler Co-authored-by: Brandon Mayfield --- charts/argo-workflows/.helmignore | 21 ++ charts/argo-workflows/Chart.yaml | 15 + charts/argo-workflows/README.md | 48 +++ .../ci/enable-ingress-values.yaml | 5 + .../ci/enable-metrics-values.yaml | 7 + .../argo-workflows/ci/enable-rbac-values.yaml | 5 + .../argoproj.io_clusterworkflowtemplates.yaml | 35 ++ .../crds/argoproj.io_cronworkflows.yaml | 38 ++ .../argoproj.io_workfloweventbindings.yaml | 34 ++ .../crds/argoproj.io_workflows.yaml | 48 +++ .../crds/argoproj.io_workflowtemplates.yaml | 34 ++ charts/argo-workflows/templates/NOTES.txt | 7 + charts/argo-workflows/templates/_helpers.tpl | 96 +++++ .../controller/workflow-aggregate-roles.yaml | 95 +++++ .../workflow-controller-cluster-roles.yaml | 148 ++++++++ .../workflow-controller-config-map.yaml | 87 +++++ .../controller/workflow-controller-crb.yaml | 48 +++ .../workflow-controller-deployment-pdb.yaml | 19 + .../workflow-controller-deployment.yaml | 104 ++++++ .../controller/workflow-controller-sa.yaml | 8 + .../workflow-controller-service.yaml | 38 ++ .../workflow-controller-servicemonitor.yaml | 29 ++ .../templates/controller/workflow-rb.yaml | 19 + .../templates/controller/workflow-role.yaml | 25 ++ .../templates/controller/workflow-sa.yaml | 13 + .../server/server-cluster-roles.yaml | 136 +++++++ .../templates/server/server-crb.yaml | 39 +++ .../server/server-deployment-pdb.yaml | 19 + .../templates/server/server-deployment.yaml | 105 ++++++ .../templates/server/server-ingress.yaml | 88 +++++ .../templates/server/server-sa.yaml | 10 + .../templates/server/server-service.yaml | 31 ++ charts/argo-workflows/values.yaml | 331 ++++++++++++++++++ charts/argo/Chart.yaml | 8 +- charts/argo/README.md | 2 + 35 files changed, 1789 insertions(+), 6 deletions(-) create mode 100644 charts/argo-workflows/.helmignore create mode 100644 charts/argo-workflows/Chart.yaml create mode 100644 charts/argo-workflows/README.md create mode 100644 charts/argo-workflows/ci/enable-ingress-values.yaml create mode 100644 charts/argo-workflows/ci/enable-metrics-values.yaml create mode 100644 charts/argo-workflows/ci/enable-rbac-values.yaml create mode 100644 charts/argo-workflows/crds/argoproj.io_clusterworkflowtemplates.yaml create mode 100644 charts/argo-workflows/crds/argoproj.io_cronworkflows.yaml create mode 100644 charts/argo-workflows/crds/argoproj.io_workfloweventbindings.yaml create mode 100644 charts/argo-workflows/crds/argoproj.io_workflows.yaml create mode 100644 charts/argo-workflows/crds/argoproj.io_workflowtemplates.yaml create mode 100644 charts/argo-workflows/templates/NOTES.txt create mode 100644 charts/argo-workflows/templates/_helpers.tpl create mode 100644 charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-controller-crb.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-controller-sa.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-controller-service.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-rb.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-role.yaml create mode 100644 charts/argo-workflows/templates/controller/workflow-sa.yaml create mode 100644 charts/argo-workflows/templates/server/server-cluster-roles.yaml create mode 100644 charts/argo-workflows/templates/server/server-crb.yaml create mode 100644 charts/argo-workflows/templates/server/server-deployment-pdb.yaml create mode 100644 charts/argo-workflows/templates/server/server-deployment.yaml create mode 100644 charts/argo-workflows/templates/server/server-ingress.yaml create mode 100644 charts/argo-workflows/templates/server/server-sa.yaml create mode 100644 charts/argo-workflows/templates/server/server-service.yaml create mode 100644 charts/argo-workflows/values.yaml diff --git a/charts/argo-workflows/.helmignore b/charts/argo-workflows/.helmignore new file mode 100644 index 00000000..f0c13194 --- /dev/null +++ b/charts/argo-workflows/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/argo-workflows/Chart.yaml b/charts/argo-workflows/Chart.yaml new file mode 100644 index 00000000..32eb38d9 --- /dev/null +++ b/charts/argo-workflows/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: argo-workflows +description: A Helm chart for Argo Workflows +type: application +version: 0.1.0 +appVersion: "v3.0.2" +icon: https://raw.githubusercontent.com/argoproj/argo-workflows/master/docs/assets/argo.png +home: https://github.com/argoproj/argo-helm +sources: + - https://github.com/argoproj/argo-workflows +maintainers: + - name: alexec + - name: alexmt + - name: jessesuen + - name: benjaminws diff --git a/charts/argo-workflows/README.md b/charts/argo-workflows/README.md new file mode 100644 index 00000000..7e1c9dd7 --- /dev/null +++ b/charts/argo-workflows/README.md @@ -0,0 +1,48 @@ +# Argo Workflows Chart + +This is a **community maintained** chart. It is used to set up argo and it's needed dependencies through one command. This is used in conjunction with [helm](https://github.com/kubernetes/helm). + +If you want your deployment of this helm chart to most closely match the [argo CLI](https://github.com/argoproj/argo-workflows), you should deploy it in the `kube-system` namespace. + +## Pre-Requisites + +This chart uses an install hook to configure the CRD definition. Installation of CRDs is a somewhat privileged process in itself and in RBAC enabled clusters the `default` service account for namespaces does not typically have the ability to do create these. + +A few options are: + +- Manually create a ServiceAccount in the Namespace which your release will be deployed w/ appropriate bindings to perform this action and set the `init.serviceAccount` attribute +- Augment the `default` ServiceAccount permissions in the Namespace in which your Release is deployed to have the appropriate permissions + +## Usage Notes + +This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of it's configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs. + +## Values + +The `values.yaml` contains items used to tweak a deployment of this chart. +Fields to note: + +- `controller.instanceID.enabled`: If set to true, the Argo Controller will **ONLY** monitor Workflow submissions with a `--instanceid` attribute +- `controller.instanceID.useReleaseName`: If set to true then chart set controller instance id to release name +- `controller.instanceID.explicitID`: Allows customization of an instance id for the workflow controller to monitor +- `controller.workflowNamespaces`: This is a list of namespaces where workflows will be ran + +## Breaking changes from the deprecated `argo` chart + +1. the `installCRD` value has been removed. CRDs are now only installed from the conventional crds/ directory +1. the CRDs were updated to `apiextensions.k8s.io/v1` +1. the container image registry/project/tag format was changed to be more in line with the more common + + ```yaml + image: + registry: quay.io + repository: argoproj/argocli + tag: v3.0.1 + ``` + + this also makes it easier for automatic update tooling (eg. renovate bot) to detect and update images. + +1. switched to quay.io as the default registry for all images +1. removed any included usage of Minio +1. aligned the configuration of serviceAccounts with the argo-cd chart, ie: what used to be `server.createServiceAccount` is now `server.serviceAccount.create` +1. moved the previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig` diff --git a/charts/argo-workflows/ci/enable-ingress-values.yaml b/charts/argo-workflows/ci/enable-ingress-values.yaml new file mode 100644 index 00000000..d3485603 --- /dev/null +++ b/charts/argo-workflows/ci/enable-ingress-values.yaml @@ -0,0 +1,5 @@ +server: + ingress: + enabled: true + hosts: + - argo-workflows.127.0.0.1.xip.io diff --git a/charts/argo-workflows/ci/enable-metrics-values.yaml b/charts/argo-workflows/ci/enable-metrics-values.yaml new file mode 100644 index 00000000..9818ebe5 --- /dev/null +++ b/charts/argo-workflows/ci/enable-metrics-values.yaml @@ -0,0 +1,7 @@ +controller: + serviceMonitor: + enabled: true + metricsConfig: + enabled: true + telemetryConfig: + enabled: true diff --git a/charts/argo-workflows/ci/enable-rbac-values.yaml b/charts/argo-workflows/ci/enable-rbac-values.yaml new file mode 100644 index 00000000..10f717ac --- /dev/null +++ b/charts/argo-workflows/ci/enable-rbac-values.yaml @@ -0,0 +1,5 @@ +workflow: + serviceAccount: + create: true # Specifies whether a service account should be created + rbac: + create: true # adds Role and RoleBinding for the above specified service account to be able to run workflows diff --git a/charts/argo-workflows/crds/argoproj.io_clusterworkflowtemplates.yaml b/charts/argo-workflows/crds/argoproj.io_clusterworkflowtemplates.yaml new file mode 100644 index 00000000..fa7da83a --- /dev/null +++ b/charts/argo-workflows/crds/argoproj.io_clusterworkflowtemplates.yaml @@ -0,0 +1,35 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterworkflowtemplates.argoproj.io +spec: + group: argoproj.io + names: + kind: ClusterWorkflowTemplate + listKind: ClusterWorkflowTemplateList + plural: clusterworkflowtemplates + shortNames: + - clusterwftmpl + - cwft + singular: clusterworkflowtemplate + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/argo-workflows/crds/argoproj.io_cronworkflows.yaml b/charts/argo-workflows/crds/argoproj.io_cronworkflows.yaml new file mode 100644 index 00000000..2878fe9b --- /dev/null +++ b/charts/argo-workflows/crds/argoproj.io_cronworkflows.yaml @@ -0,0 +1,38 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: cronworkflows.argoproj.io +spec: + group: argoproj.io + names: + kind: CronWorkflow + listKind: CronWorkflowList + plural: cronworkflows + shortNames: + - cwf + - cronwf + singular: cronworkflow + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/argo-workflows/crds/argoproj.io_workfloweventbindings.yaml b/charts/argo-workflows/crds/argoproj.io_workfloweventbindings.yaml new file mode 100644 index 00000000..9585686a --- /dev/null +++ b/charts/argo-workflows/crds/argoproj.io_workfloweventbindings.yaml @@ -0,0 +1,34 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workfloweventbindings.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowEventBinding + listKind: WorkflowEventBindingList + plural: workfloweventbindings + shortNames: + - wfeb + singular: workfloweventbinding + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/argo-workflows/crds/argoproj.io_workflows.yaml b/charts/argo-workflows/crds/argoproj.io_workflows.yaml new file mode 100644 index 00000000..f3751e18 --- /dev/null +++ b/charts/argo-workflows/crds/argoproj.io_workflows.yaml @@ -0,0 +1,48 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflows.argoproj.io +spec: + group: argoproj.io + names: + kind: Workflow + listKind: WorkflowList + plural: workflows + shortNames: + - wf + singular: workflow + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Status of the workflow + jsonPath: .status.phase + name: Status + type: string + - description: When the workflow was started + format: date-time + jsonPath: .status.startedAt + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/charts/argo-workflows/crds/argoproj.io_workflowtemplates.yaml b/charts/argo-workflows/crds/argoproj.io_workflowtemplates.yaml new file mode 100644 index 00000000..f6fa080a --- /dev/null +++ b/charts/argo-workflows/crds/argoproj.io_workflowtemplates.yaml @@ -0,0 +1,34 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowtemplates.argoproj.io +spec: + group: argoproj.io + names: + kind: WorkflowTemplate + listKind: WorkflowTemplateList + plural: workflowtemplates + shortNames: + - wftmpl + singular: workflowtemplate + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true diff --git a/charts/argo-workflows/templates/NOTES.txt b/charts/argo-workflows/templates/NOTES.txt new file mode 100644 index 00000000..b6ac65d4 --- /dev/null +++ b/charts/argo-workflows/templates/NOTES.txt @@ -0,0 +1,7 @@ +1. Get Argo Server external IP/domain by running: + +kubectl --namespace {{ .Release.Namespace }} get services -o wide | grep {{ .Release.Name }}-{{ .Values.server.name }} + +2. Submit the hello-world workflow by running: + +argo submit https://raw.githubusercontent.com/argoproj/argo-workflows/master/examples/hello-world.yaml --watch diff --git a/charts/argo-workflows/templates/_helpers.tpl b/charts/argo-workflows/templates/_helpers.tpl new file mode 100644 index 00000000..f5c8a4c3 --- /dev/null +++ b/charts/argo-workflows/templates/_helpers.tpl @@ -0,0 +1,96 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create argo workflows server name and version as used by the chart label. +*/}} +{{- define "argo-workflows.server.fullname" -}} +{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create controller name and version as used by the chart label. +*/}} +{{- define "argo-workflows.controller.fullname" -}} +{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "argo-workflows.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "argo-workflows.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "argo-workflows.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "argo-workflows.labels" -}} +helm.sh/chart: {{ include "argo-workflows.chart" .context }} +{{ include "argo-workflows.selectorLabels" (dict "context" .context "component" .component "name" .name) }} +app.kubernetes.io/managed-by: {{ .context.Release.Service }} +app.kubernetes.io/part-of: argo-workflows +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "argo-workflows.selectorLabels" -}} +{{- if .name -}} +app.kubernetes.io/name: {{ include "argo-workflows.name" .context }}-{{ .name }} +{{ end -}} +app.kubernetes.io/instance: {{ .context.Release.Name }} +{{- if .component }} +app.kubernetes.io/component: {{ .component }} +{{- end }} +{{- end }} + +{{/* +Create the name of the server service account to use +*/}} +{{- define "argo-workflows.serverServiceAccountName" -}} +{{- if .Values.server.serviceAccount.create -}} + {{ default (include "argo-workflows.fullname" .) .Values.server.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.server.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "argo-workflows.controllerServiceAccountName" -}} +{{- if .Values.controller.serviceAccount.create -}} + {{ default (include "argo-workflows.fullname" .) .Values.controller.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress +*/}} +{{- define "argo-workflows.ingress.apiVersion" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.Version -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.Version -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} diff --git a/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml b/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml new file mode 100644 index 00000000..2143f208 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml @@ -0,0 +1,95 @@ +{{- if .Values.createAggregateRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + name: argo-workflows-aggregate-to-view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + name: argo-workflows-aggregate-to-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + helm.sh/hook: pre-install + helm.sh/hook-delete-policy: before-hook-creation + name: argo-workflows-aggregate-to-admin + labels: + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml new file mode 100644 index 00000000..de5e88a3 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml @@ -0,0 +1,148 @@ +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + - pods/exec + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - "policy" + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +{{- if .Values.controller.persistence }} +- apiGroups: + - "" + resources: + - secrets + resourceNames: + {{- if .Values.controller.persistence.postgresql }} + - {{ .Values.controller.persistence.postgresql.userNameSecret.name }} + - {{ .Values.controller.persistence.postgresql.passwordSecret.name }} + {{- end}} + {{- if .Values.controller.persistence.mysql }} + - {{ .Values.controller.persistence.mysql.userNameSecret.name }} + - {{ .Values.controller.persistence.mysql.passwordSecret.name }} + {{- end}} + verbs: + - get +{{- end}} +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - workflow-controller + - workflow-controller-lease + verbs: + - get + - watch + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Name }}-{{ .Values.controller.name }}-cluster-template +rules: +- apiGroups: + - argoproj.io + resources: + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - get + - list + - watch diff --git a/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml new file mode 100644 index 00000000..afddb194 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml @@ -0,0 +1,87 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "argo-workflows.controller.fullname" . }}-configmap + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" "cm") | nindent 4 }} +data: + config: | + {{- if .Values.controller.instanceID.enabled }} + {{- if .Values.controller.instanceID.useReleaseName }} + instanceID: {{ .Release.Name }} + {{- else }} + instanceID: {{ .Values.controller.instanceID.explicitID }} + {{- end }} + {{- end }} + containerRuntimeExecutor: {{ .Values.controller.containerRuntimeExecutor }} + {{- if .Values.controller.parallelism }} + parallelism: {{ .Values.controller.parallelism }} + {{- end }} + {{- if or .Values.executor.resources .Values.executor.env .Values.executor.securityContext}} + executor: + {{- with .Values.executor.resources }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.executor.env }} + env: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.executor.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.useDefaultArtifactRepo }} + artifactRepository: + {{- if .Values.artifactRepository.archiveLogs }} + archiveLogs: {{ .Values.artifactRepository.archiveLogs }} + {{- end }} + {{- if .Values.artifactRepository.gcs }} + gcs: +{{ toYaml .Values.artifactRepository.gcs | indent 8}} + {{- else }} + s3: + {{- if .Values.useStaticCredentials }} + accessKeySecret: + key: {{ .Values.artifactRepository.s3.accessKeySecret.key }} + name: {{ .Values.artifactRepository.s3.accessKeySecret.name }} + secretKeySecret: + key: {{ .Values.artifactRepository.s3.secretKeySecret.key }} + name: {{ .Values.artifactRepository.s3.secretKeySecret.name }} + {{- end }} + bucket: {{ .Values.artifactRepository.s3.bucket }} + endpoint: {{ .Values.artifactRepository.s3.endpoint }} + insecure: {{ .Values.artifactRepository.s3.insecure }} + {{- if .Values.artifactRepository.s3.keyFormat }} + keyFormat: {{ .Values.artifactRepository.s3.keyFormat | quote }} + {{- end }} + {{- if .Values.artifactRepository.s3.region }} + region: {{ .Values.artifactRepository.s3.region }} + {{- end }} + {{- if .Values.artifactRepository.s3.roleARN }} + roleARN: {{ .Values.artifactRepository.s3.roleARN }} + {{- end }} + {{- if .Values.artifactRepository.s3.useSDKCreds }} + useSDKCreds: {{ .Values.artifactRepository.s3.useSDKCreds }} + {{- end }} + {{- end }} + {{- end}} + {{- if .Values.controller.metricsConfig.enabled }} + metricsConfig: +{{ toYaml .Values.controller.metricsConfig | indent 6}}{{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + telemetryConfig: +{{ toYaml .Values.controller.telemetryConfig | indent 6}}{{- end }} + {{- if .Values.controller.persistence }} + persistence: +{{ toYaml .Values.controller.persistence | indent 6 }}{{- end }} + {{- if .Values.controller.workflowDefaults }} + workflowDefaults: +{{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }} + {{- with .Values.server.sso }} + sso: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.controller.workflowRestrictions }} + workflowRestrictions: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.controller.links }} + links: {{- toYaml . | nindent 6 }} + {{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml b/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml new file mode 100644 index 00000000..6879d282 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml @@ -0,0 +1,48 @@ +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: RoleBinding +{{ else }} +kind: ClusterRoleBinding +{{- end }} +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{ else }} + kind: ClusterRole + {{- end }} + name: {{ template "argo-workflows.controller.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "argo-workflows.controllerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if .Values.controller.workflowNamespaces }} +{{- $uiServiceAccount := (include "argo-workflows.controllerServiceAccountName" .) }} +{{- $namespace := .Release.Namespace }} +{{- range $key := .Values.controller.workflowNamespaces }} + {{- if not (eq $key $namespace) }} + - kind: ServiceAccount + name: {{ $uiServiceAccount }} + namespace: {{ $key }} + {{- end }} +{{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template +subjects: + - kind: ServiceAccount + name: {{ template "argo-workflows.controllerServiceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml b/charts/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml new file mode 100644 index 00000000..564ba412 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml @@ -0,0 +1,19 @@ +{{- if .Values.controller.pdb.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +spec: + {{- if .Values.controller.pdb.minAvailable }} + minAvailable: {{ .Values.controller.pdb.minAvailable }} + {{- else if .Values.controller.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.controller.pdb.maxUnavailable }} + {{- else }} + minAvailable: 0 + {{- end }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} +{{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml b/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml new file mode 100644 index 00000000..c35894ec --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml @@ -0,0 +1,104 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.controller.image.tag | quote }} +spec: + replicas: {{ .Values.controller.replicas }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} + template: + metadata: + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }} + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.controller.image.tag | quote }} + {{- with.Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "argo-workflows.controllerServiceAccountName" . }} + {{- with .Values.controller.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: controller + image: "{{ .Values.controller.image.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.images.pullPolicy }} + command: [ "workflow-controller" ] + args: + - "--configmap" + - "{{ template "argo-workflows.controller.fullname" . }}-configmap" + - "--executor-image" + - "{{ .Values.executor.image.registry }}/{{ .Values.executor.image.repository }}:{{ .Values.executor.image.tag | default .Chart.AppVersion }}" + - "--loglevel" + - "{{ .Values.controller.logging.level }}" + - "--gloglevel" + - "{{ .Values.controller.logging.globallevel }}" + {{- if .Values.singleNamespace }} + - "--namespaced" + {{- end }} + {{- with .Values.controller.workflowWorkers }} + - "--workflow-workers" + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.podWorkers }} + - "--pod-workers" + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + securityContext: + {{- toYaml .Values.controller.securityContext | nindent 12 }} + env: + - name: ARGO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: LEADER_ELECTION_IDENTITY + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + {{- with .Values.controller.extraEnv }} + {{ toYaml . | nindent 10 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + ports: + - name: metrics + containerPort: {{ .Values.controller.metricsConfig.port }} + livenessProbe: + httpGet: + port: metrics + path: {{ .Values.controller.metricsConfig.path }} + initialDelaySeconds: 30 + periodSeconds: 30 + {{- with .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml b/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml new file mode 100644 index 00000000..e917bb41 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "argo-workflows.controllerServiceAccountName" . }} + {{ with .Values.controller.serviceAccount.annotations }} + annotations: + {{- toYaml .| nindent 4 }} + {{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-service.yaml b/charts/argo-workflows/templates/controller/workflow-controller-service.yaml new file mode 100644 index 00000000..5c248f49 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-controller-service.yaml @@ -0,0 +1,38 @@ +{{- if or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.controller.image.tag | quote }} + {{- with .Values.controller.serviceLabels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.controller.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4}} + {{- end }} +spec: + ports: + {{- if .Values.controller.metricsConfig.enabled }} + - name: {{ .Values.controller.metricsConfig.servicePortName }} + port: {{ .Values.controller.metricsConfig.servicePort }} + protocol: TCP + targetPort: {{ .Values.controller.metricsConfig.port }} + {{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + - name: {{ .Values.controller.telemetryConfig.servicePortName }} + port: {{ .Values.controller.telemetryConfig.servicePort }} + protocol: TCP + targetPort: {{ .Values.controller.telemetryConfig.port }} + {{- end }} + selector: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 4 }} + sessionAffinity: None + type: {{ .Values.controller.serviceType }} + {{- if and (eq .Values.controller.serviceType "LoadBalancer") .Values.controller.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.controller.loadBalancerSourceRanges | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml b/charts/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml new file mode 100644 index 00000000..54cf1b31 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml @@ -0,0 +1,29 @@ +{{- if and (or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled) .Values.controller.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + {{- with .Values.controller.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + {{- if .Values.controller.metricsConfig.enabled }} + - port: metrics + path: {{ .Values.controller.metricsConfig.path }} + interval: 30s + {{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + - port: telemetry + path: {{ .Values.controller.telemetryConfig.path }} + interval: 30s + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} +{{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-rb.yaml b/charts/argo-workflows/templates/controller/workflow-rb.yaml new file mode 100644 index 00000000..9b27c045 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-rb.yaml @@ -0,0 +1,19 @@ +{{- if .Values.workflow.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "argo-workflows.fullname" . }}-workflow + {{- with .Values.workflow.namespace }} + namespace: {{ . }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "argo-workflows.fullname" . }}-workflow +subjects: +- kind: ServiceAccount + name: {{ .Values.workflow.serviceAccount.name }} + {{- with .Values.workflow.namespace }} + namespace: {{ . }} + {{- end }} +{{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-role.yaml b/charts/argo-workflows/templates/controller/workflow-role.yaml new file mode 100644 index 00000000..bf8b3cff --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-role.yaml @@ -0,0 +1,25 @@ +{{- if .Values.workflow.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "argo-workflows.fullname" . }}-workflow + {{- with .Values.workflow.namespace }} + namespace: {{ . }} + {{- end }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - patch +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - watch +{{- end }} diff --git a/charts/argo-workflows/templates/controller/workflow-sa.yaml b/charts/argo-workflows/templates/controller/workflow-sa.yaml new file mode 100644 index 00000000..dc84f2b1 --- /dev/null +++ b/charts/argo-workflows/templates/controller/workflow-sa.yaml @@ -0,0 +1,13 @@ +{{- if .Values.workflow.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.workflow.serviceAccount.name }} + {{- with .Values.workflow.namespace }} + namespace: {{ . }} + {{- end }} + {{- with .Values.workflow.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/argo-workflows/templates/server/server-cluster-roles.yaml b/charts/argo-workflows/templates/server/server-cluster-roles.yaml new file mode 100644 index 00000000..5901bbd1 --- /dev/null +++ b/charts/argo-workflows/templates/server/server-cluster-roles.yaml @@ -0,0 +1,136 @@ +{{- if .Values.server.enabled }} +apiVersion: rbac.authorization.k8s.io/v1 + {{- if .Values.singleNamespace }} +kind: Role + {{- else }} +kind: ClusterRole + {{- end }} +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + - pods/exec + - pods/log + verbs: + - get + - list + - watch + - delete + {{- if .Values.server.sso }} +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - sso + verbs: + - get + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + {{- if .Values.server.sso.rbac }} +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + {{- end }} + {{- end }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +{{- if .Values.server.sso }} + {{- if .Values.server.sso.rbac }} + {{- with .Values.server.sso.rbac.secretWhitelist }} + resourceNames: {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +{{- end }} +- apiGroups: + - "" + resources: + - events + verbs: + - watch + - create + - patch +{{- if .Values.controller.persistence }} +- apiGroups: + - "" + resources: + - secrets + resourceNames: + {{- with .Values.controller.persistence.postgresql }} + - {{ .userNameSecret.name }} + - {{ .passwordSecret.name }} + {{- end}} + {{- with .Values.controller.persistence.mysql }} + - {{ .userNameSecret.name }} + - {{ .passwordSecret.name }} + {{- end}} + verbs: + - get +{{- end}} +- apiGroups: + - argoproj.io + resources: + - eventsources + - sensors + - workflows + - workfloweventbindings + - workflowtemplates + - cronworkflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "argo-workflows.server.fullname" . }}-cluster-template + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +rules: +- apiGroups: + - argoproj.io + resources: + - clusterworkflowtemplates + verbs: + - get + - list + - watch + {{- if .Values.server.clusterWorkflowTemplates.enableEditing }} + - create + - update + - patch + - delete + {{- end }} +{{- end }} diff --git a/charts/argo-workflows/templates/server/server-crb.yaml b/charts/argo-workflows/templates/server/server-crb.yaml new file mode 100644 index 00000000..fd9450d5 --- /dev/null +++ b/charts/argo-workflows/templates/server/server-crb.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.server.enabled .Values.server.serviceAccount.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: RoleBinding +{{ else }} +kind: ClusterRoleBinding +{{- end }} +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{ else }} + kind: ClusterRole + {{- end }} + name: {{ template "argo-workflows.server.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "argo-workflows.serverServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "argo-workflows.server.fullname" . }}-cluster-template + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "argo-workflows.server.fullname" . }}-cluster-template +subjects: +- kind: ServiceAccount + name: {{ template "argo-workflows.serverServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/argo-workflows/templates/server/server-deployment-pdb.yaml b/charts/argo-workflows/templates/server/server-deployment-pdb.yaml new file mode 100644 index 00000000..aeba6547 --- /dev/null +++ b/charts/argo-workflows/templates/server/server-deployment-pdb.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.server.enabled .Values.server.pdb.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +spec: + {{- if .Values.server.pdb.minAvailable }} + minAvailable: {{ .Values.server.pdb.minAvailable }} + {{- else if .Values.server.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.server.pdb.maxUnavailable }} + {{- else }} + minAvailable: 0 + {{- end }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} +{{- end -}} diff --git a/charts/argo-workflows/templates/server/server-deployment.yaml b/charts/argo-workflows/templates/server/server-deployment.yaml new file mode 100644 index 00000000..9d1696dd --- /dev/null +++ b/charts/argo-workflows/templates/server/server-deployment.yaml @@ -0,0 +1,105 @@ +{{- if .Values.server.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.server.image.tag | quote }} +spec: + replicas: {{ .Values.server.replicas }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} + template: + metadata: + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 8 }} + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.server.image.tag | quote }} + {{- with .Values.server.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.podAnnotations }} + annotations: + {{- toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "argo-workflows.serverServiceAccountName" . }} + {{- with .Values.server.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - name: argo-server + image: "{{ .Values.server.image.registry }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.images.pullPolicy }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 12 }} + args: + - server + - --configmap={{ template "argo-workflows.controller.fullname" . }}-configmap + {{- with .Values.server.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + - "--secure={{ .Values.server.secure }}" + {{- if .Values.singleNamespace }} + - "--namespaced" + {{- end }} + ports: + - name: web + containerPort: 2746 + readinessProbe: + httpGet: + path: / + port: 2746 + {{- if .Values.server.secure }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 10 + periodSeconds: 20 + env: + - name: IN_CLUSTER + value: "true" + - name: ARGO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: BASE_HREF + value: {{ .Values.server.baseHref | quote }} + resources: + {{- toYaml .Values.server.resources | nindent 12 }} + volumeMounts: + - name: tmp + mountPath: /tmp + {{- with .Values.server.volumeMounts }} + {{- toYaml . | nindent 10}} + {{- end }} + {{- with .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: tmp + emptyDir: {} + {{- with .Values.server.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + {{- with .Values.server.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} +{{- end -}} diff --git a/charts/argo-workflows/templates/server/server-ingress.yaml b/charts/argo-workflows/templates/server/server-ingress.yaml new file mode 100644 index 00000000..fe67c0a3 --- /dev/null +++ b/charts/argo-workflows/templates/server/server-ingress.yaml @@ -0,0 +1,88 @@ +{{- if .Values.server.ingress.enabled -}} +{{- $serviceName := include "argo-workflows.server.fullname" . -}} +{{- $servicePort := .Values.server.servicePort -}} +{{- $paths := .Values.server.ingress.paths -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +apiVersion: {{ include "argo-workflows.ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.server.ingress.annotations }} + annotations: + {{- range $key, $value := .Values.server.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + name: {{ template "argo-workflows.server.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + {{- if .Values.server.ingress.labels }} + {{- toYaml .Values.server.ingress.labels | nindent 4 }} + {{- end }} +spec: + {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + {{- with .Values.server.ingress.ingressClassName }} + ingressClassName: {{ . }} + {{- end }} + {{- end }} + rules: + {{- if .Values.server.ingress.hosts }} + {{- range $host := .Values.server.ingress.hosts }} + - host: {{ $host }} + http: + paths: + {{- if $extraPaths }} + {{- toYaml $extraPaths | nindent 10 }} + {{- end }} + {{- range $p := $paths }} + - path: {{ $p }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + {{- end }} + backend: + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ $serviceName }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- end -}} + {{- else }} + - http: + paths: + {{- if $extraPaths }} + {{- toYaml $extraPaths | nindent 10 }} + {{- end }} + {{- range $p := $paths }} + - path: {{ $p }} + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + pathType: Prefix + {{- end }} + backend: + {{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }} + service: + name: {{ $serviceName }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- end -}} + {{- if .Values.server.ingress.tls }} + tls: + {{- toYaml .Values.server.ingress.tls | nindent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/argo-workflows/templates/server/server-sa.yaml b/charts/argo-workflows/templates/server/server-sa.yaml new file mode 100644 index 00000000..10e03d0e --- /dev/null +++ b/charts/argo-workflows/templates/server/server-sa.yaml @@ -0,0 +1,10 @@ +{{- if and .Values.server.enabled .Values.server.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "argo-workflows.serverServiceAccountName" . }} + {{- with .Values.server.serviceAccount.annotations }} + annotations: + {{- toYaml . | indent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/argo-workflows/templates/server/server-service.yaml b/charts/argo-workflows/templates/server/server-service.yaml new file mode 100644 index 00000000..5d161ee8 --- /dev/null +++ b/charts/argo-workflows/templates/server/server-service.yaml @@ -0,0 +1,31 @@ +{{- if .Values.server.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.server.image.tag | quote }} + {{- with .Values.server.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.server.servicePort }} + {{- with .Values.server.servicePortName }} + name: {{ . }} + {{- end }} + targetPort: 2746 + selector: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }} + sessionAffinity: None + type: {{ .Values.server.serviceType }} + {{- if and (eq .Values.server.serviceType "LoadBalancer") .Values.server.loadBalancerIP }} + loadBalancerIP: {{ .Values.server.loadBalancerIP | quote }} + {{- end }} + {{- if and (eq .Values.server.serviceType "LoadBalancer") .Values.server.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.server.loadBalancerSourceRanges | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/argo-workflows/values.yaml b/charts/argo-workflows/values.yaml new file mode 100644 index 00000000..375c5eb1 --- /dev/null +++ b/charts/argo-workflows/values.yaml @@ -0,0 +1,331 @@ +images: + # imagePullPolicy to apply to all containers + pullPolicy: Always + # Secrets with credentials to pull images from a private registry + pullSecrets: [] + # - name: argo-pull-secret + +init: + # By default the installation will not set an explicit one, which will mean it uses `default` for the namespace the chart is + # being deployed to. In RBAC clusters, that will almost certainly fail. See the NOTES: section of the readme for more info. + serviceAccount: "" + +createAggregateRoles: true + +# Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents, +# and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy. +singleNamespace: false + +workflow: + namespace: "" # Specify namespace if workflows run in another namespace than argo. This controls where the service account and RBAC resources will be created. + serviceAccount: + create: false # Specifies whether a service account should be created + annotations: {} + name: "argo-workflow" # Service account which is used to run workflows + rbac: + create: false # adds Role and RoleBinding for the above specified service account to be able to run workflows + +controller: + image: + registry: quay.io + repository: argoproj/workflow-controller + # Overrides the image tag whose default is the chart appVersion. + tag: "" + # parallelism dictates how many workflows can be running at the same time + parallelism: + # podAnnotations is an optional map of annotations to be applied to the controller Pods + podAnnotations: {} + # Optional labels to add to the controller pods + podLabels: {} + # SecurityContext to set on the controller pods + podSecurityContext: {} + # podPortName: http + metricsConfig: + enabled: false + path: /metrics + port: 9090 + servicePort: 8080 + servicePortName: metrics + # the controller container's securityContext + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + persistence: {} + # connectionPool: + # maxIdleConns: 100 + # maxOpenConns: 0 + # # save the entire workflow into etcd and DB + # nodeStatusOffLoad: false + # # enable archiving of old workflows + # archive: false + # postgresql: + # host: localhost + # port: 5432 + # database: postgres + # tableName: argo_workflows + # # the database secrets must be in the same namespace of the controller + # userNameSecret: + # name: argo-postgres-config + # key: username + # passwordSecret: + # name: argo-postgres-config + # key: password + workflowDefaults: {} # Only valid for 2.7+ + # spec: + # ttlStrategy: + # secondsAfterCompletion: 84600 + # workflowWorkers: 32 + # podWorkers: 32 + workflowRestrictions: {} # Only valid for 2.9+ + # templateReferencing: Strict|Secure + telemetryConfig: + enabled: false + path: /telemetry + port: 8081 + servicePort: 8081 + servicePortName: telemetry + serviceMonitor: + enabled: false + additionalLabels: {} + serviceAccount: + create: true + name: argo + # Annotations applied to created service account + annotations: {} + name: workflow-controller + workflowNamespaces: + - default + containerRuntimeExecutor: docker + instanceID: + # `instanceID.enabled` configures the controller to filter workflow submissions + # to only those which have a matching instanceID attribute. + enabled: false + # NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName` + # or `instanceID.explicitID` must be defined. + # useReleaseName: true + # explicitID: unique-argo-controller-identifier + logging: + level: info + globallevel: "0" + serviceType: ClusterIP + # Annotations to be applied to the controller Service + serviceAnnotations: {} + # Optional labels to add to the controller Service + serviceLabels: {} + # Source ranges to allow access to service from. Only applies to + # service type `LoadBalancer` + loadBalancerSourceRanges: [] + resources: {} + # The list of environment variable definitions to be added to the controller + # manages container verbatim. + extraEnv: [] + # Extra arguments to be added to the controller + extraArgs: [] + replicas: 1 + pdb: + enabled: false + # minAvailable: 1 + # maxUnavailable: 1 + ## Node selectors and tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + nodeSelector: + kubernetes.io/os: linux + tolerations: [] + affinity: {} + # Leverage a PriorityClass to ensure your pods survive resource shortages + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + # PriorityClass: system-cluster-critical + priorityClassName: "" + # https://argoproj.github.io/argo-workflows/links/ + links: [] + +# executor controls how the init and wait container should be customized +executor: + image: + registry: quay.io + repository: argoproj/argoexec + # Overrides the image tag whose default is the chart appVersion. + tag: "" + resources: {} + # Adds environment variables for the executor. + env: {} + # sets security context for the executor container + securityContext: {} + +server: + enabled: true + # only updates base url of resources on client side, + # it's expected that a proxy server rewrites the request URL and gets rid of this prefix + # https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190 + baseHref: / + image: + registry: quay.io + repository: argoproj/argocli + # Overrides the image tag whose default is the chart appVersion. + tag: "" + # optional map of annotations to be applied to the ui Pods + podAnnotations: {} + # Optional labels to add to the UI pods + podLabels: {} + # SecurityContext to set on the server pods + podSecurityContext: {} + securityContext: + readOnlyRootFilesystem: false + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + name: server + serviceType: ClusterIP + servicePort: 2746 + # servicePortName: http + serviceAccount: + create: true + name: argo-server + annotations: {} + # Annotations to be applied to the UI Service + serviceAnnotations: {} + # Optional labels to add to the UI Service + serviceLabels: {} + # Static IP address to assign to loadBalancer + # service type `LoadBalancer` + loadBalancerIP: "" + # Source ranges to allow access to service from. Only applies to + # service type `LoadBalancer` + loadBalancerSourceRanges: [] + resources: {} + replicas: 1 + pdb: + enabled: false + # minAvailable: 1 + # maxUnavailable: 1 + ## Node selectors and tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + nodeSelector: + kubernetes.io/os: linux + tolerations: [] + affinity: {} + # Leverage a PriorityClass to ensure your pods survive resource shortages + # ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + # PriorityClass: system-cluster-critical + priorityClassName: "" + + # Run the argo server in "secure" mode. Configure this value instead of + # "--secure" in extraArgs. See the following documentation for more details + # on secure mode: + # https://argoproj.github.io/argo-workflows/tls/ + secure: false + + # Extra arguments to provide to the Argo server binary. + extraArgs: [] + + ## Additional volumes to the server main container. + volumeMounts: [] + volumes: [] + + ## Ingress configuration. + ## ref: https://kubernetes.io/docs/user-guide/ingress/ + ## + ingress: + enabled: false + annotations: {} + labels: {} + ingressClassName: "" + + ## Argo Workflows Server Ingress. + ## Hostnames must be provided if Ingress is enabled. + ## Secrets must be manually created in the namespace + ## + hosts: + [] + # - argocd.example.com + paths: + - / + extraPaths: + [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + tls: + [] + # - secretName: argocd-example-tls + # hosts: + # - argocd.example.com + https: false + + clusterWorkflowTemplates: + # Give the server permissions to edit ClusterWorkflowTemplates. + enableEditing: true + sso: + ## SSO configuration when SSO is specified as a server auth mode. + ## All the values are required. SSO is activated by adding --auth-mode=sso + ## to the server command line. + # + ## The root URL of the OIDC identity provider. + # issuer: https://accounts.google.com + ## Name of a secret and a key in it to retrieve the app OIDC client ID from. + # clientId: + # name: argo-server-sso + # key: client-id + ## Name of a secret and a key in it to retrieve the app OIDC client secret from. + # clientSecret: + # name: argo-server-sso + # key: client-secret + ## The OIDC redirect URL. Should be in the form /oauth2/callback. + # redirectUrl: https://argo/oauth2/callback + # rbac: + # enabled: true + ## When present, restricts secrets the server can read to a given list. + ## You can use it to restrict the server to only be able to access the + ## service account token secrets that are associated with service accounts + ## used for authorization. + # secretWhitelist: [] + ## Scopes requested from the SSO ID provider. The 'groups' scope requests + ## group membership information, which is usually used for authorization + ## decisions. + # scopes: + # - groups + +# Influences the creation of the ConfigMap for the workflow-controller itself. +useDefaultArtifactRepo: false +useStaticCredentials: true +artifactRepository: + # archiveLogs will archive the main container logs as an artifact + archiveLogs: false + s3: + # Note the `key` attribute is not the actual secret, it's the PATH to + # the contents in the associated secret, as defined by the `name` attribute. + accessKeySecret: + # name: -minio + key: accesskey + secretKeySecret: + # name: -minio + key: secretkey + insecure: true + # bucket: + # endpoint: + # region: + # roleARN: + # useSDKCreds: true + # gcs: + # bucket: -argo + # keyFormat: "{{workflow.namespace}}/{{workflow.name}}/" + # serviceAccountKeySecret is a secret selector. + # It references the k8s secret named 'my-gcs-credentials'. + # This secret is expected to have have the key 'serviceAccountKey', + # containing the base64 encoded credentials + # to the bucket. + # + # If it's running on GKE and Workload Identity is used, + # serviceAccountKeySecret is not needed. + # serviceAccountKeySecret: + # name: my-gcs-credentials + # key: serviceAccountKey diff --git a/charts/argo/Chart.yaml b/charts/argo/Chart.yaml index 3f10ee6f..8e82de87 100644 --- a/charts/argo/Chart.yaml +++ b/charts/argo/Chart.yaml @@ -2,16 +2,12 @@ apiVersion: v2 appVersion: v2.12.5 description: A Helm chart for Argo Workflows name: argo -version: 0.16.10 +version: 1.0.0 icon: https://raw.githubusercontent.com/argoproj/argo/master/docs/assets/argo.png home: https://github.com/argoproj/argo-helm -maintainers: - - name: alexec - - name: alexmt - - name: jessesuen - - name: benjaminws dependencies: - name: minio version: 8.0.9 repository: https://helm.min.io/ condition: minio.install +deprecated: true diff --git a/charts/argo/README.md b/charts/argo/README.md index b0b5613a..024f0077 100644 --- a/charts/argo/README.md +++ b/charts/argo/README.md @@ -1,5 +1,7 @@ ## Argo Workflows Chart +> ⚠ DEPRECATION WARNING: this chart is for v2 of Argo Workflows. For v3, a new chart is available at + This is a **community maintained** chart. It is used to set up argo and it's needed dependencies through one command. This is used in conjunction with [helm](https://github.com/kubernetes/helm). If you want your deployment of this helm chart to most closely match the [argo CLI](https://github.com/argoproj/argo-workflows), you should deploy it in the `kube-system` namespace.