diff --git a/opencloud/Chart.yaml b/opencloud/Chart.yaml index 142cfbf..8642b44 100644 --- a/opencloud/Chart.yaml +++ b/opencloud/Chart.yaml @@ -43,3 +43,7 @@ dependencies: version: "8.6.4" repository: "https://grafana.github.io/helm-charts" condition: grafana.enabled +- name: argo-workflows + version: "0.45.4" + repository: "https://argoproj.github.io/argo-helm" + condition: argo-workflows.enabled diff --git a/opencloud/charts/argo-workflows/.helmignore b/opencloud/charts/argo-workflows/.helmignore new file mode 100644 index 0000000..ec59d66 --- /dev/null +++ b/opencloud/charts/argo-workflows/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +ci/ +*.gotmpl diff --git a/opencloud/charts/argo-workflows/Chart.yaml b/opencloud/charts/argo-workflows/Chart.yaml new file mode 100644 index 0000000..27aa7ea --- /dev/null +++ b/opencloud/charts/argo-workflows/Chart.yaml @@ -0,0 +1,20 @@ +annotations: + artifacthub.io/changes: | + - kind: added + description: Support configuring workflow events in the controller + artifacthub.io/signKey: | + fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252 + url: https://argoproj.github.io/argo-helm/pgp_keys.asc +apiVersion: v2 +appVersion: v3.6.2 +description: A Helm chart for Argo Workflows +home: https://github.com/argoproj/argo-helm +icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png +maintainers: +- name: argoproj + url: https://argoproj.github.io/ +name: argo-workflows +sources: +- https://github.com/argoproj/argo-workflows +type: application +version: 0.45.4 diff --git a/opencloud/charts/argo-workflows/README.md b/opencloud/charts/argo-workflows/README.md new file mode 100644 index 0000000..323524c --- /dev/null +++ b/opencloud/charts/argo-workflows/README.md @@ -0,0 +1,410 @@ +# Argo Workflows Chart + +This is a **community maintained** chart. It is used to set up argo and its needed dependencies through one command. This is used in conjunction with [helm](https://github.com/kubernetes/helm). + +If you want your deployment of this helm chart to most closely match the [argo CLI](https://github.com/argoproj/argo-workflows), you should deploy it in the `kube-system` namespace. + +## Pre-Requisites + +### Custom resource definitions + +Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart. + +Helm cannot upgrade custom resource definitions in the `/crds` folder [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). Starting with 3.4.0 (chart version 0.19.0), the CRDs have been moved to `/templates` to address this design decision. + +If you are using Argo Workflows chart version prior to 3.4.0 (chart version 0.19.0) or have elected to manage the Argo Workflows CRDs outside of the chart, please use `kubectl` to upgrade CRDs manually from [templates/crds](templates/crds/) folder or via the manifests from the upstream project repo: + +```bash +kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=" + +# Eg. version v3.3.9 +kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v3.3.9" +``` + +### ServiceAccount for Workflow Spec +In order for each Workflow run, you create ServiceAccount via `values.yaml` like below. + +```yaml +workflow: + serviceAccount: + create: true + name: "argo-workflow" + rbac: + create: true +controller: + workflowNamespaces: + - default + - foo + - bar +``` + +Set ServiceAccount on Workflow. + +```yaml +apiVersion: argoproj.io/v1alpha1 +kind: Workflow +metadata: + generateName: hello-world- +spec: + entrypoint: whalesay + serviceAccountName: argo-workflow # Set ServiceAccount + templates: + - name: whalesay + container: + image: docker/whalesay + command: [ cowsay ] + args: [ "hello world" ] +``` + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +$ helm repo add argo https://argoproj.github.io/argo-helm +"argo" has been added to your repositories + +$ helm install my-release argo/argo-workflows +NAME: my-release +... +``` + +## Changelog + +For full list of changes, please check ArtifactHub [changelog]. + +## Usage Notes + +### High Availability + +This chart installs the non-HA version of Argo Workflows by default. If you want to run in HA mode, you can use [these example values](ci/ha-values.yaml) as a starting point. +Please see the upstream [Operator Manual's High Availability page](https://argo-workflows.readthedocs.io/en/stable/high-availability/) to understand how to scale Argo Workflows in depth. + +### Workflow controller + +This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of its configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs. + +### Argo Workflows server authentication + +Argo Workflows server provides some choices for authentication mechanism and you can configure `.Values.server.authModes`. By default, authentication mode is `[server]`, for local development purposes or cases where your gateway authentication is covered by some other means. +Please refer to [Argo Server Auth Mode] for more details. + +Argo Workflows server also supports SSO and you can enable it to configure `.Values.server.sso` and `.Values.server.authModes`. In order to manage access levels, you can optionally add RBAC to SSO. Please refer to [SSO RBAC] for more details. + +## Values + +The `values.yaml` contains items used to tweak a deployment of this chart. +Fields to note: + +- `controller.instanceID.enabled`: If set to true, the Argo Controller will **ONLY** monitor Workflow submissions with a `--instanceid` attribute +- `controller.instanceID.useReleaseName`: If set to true then chart set controller instance id to release name +- `controller.instanceID.explicitID`: Allows customization of an instance id for the workflow controller to monitor +- `singleNamespace`: When true, restricts the workflow controller to operate + in just the single namespace (that one of the Helm release). +- `controller.workflowNamespaces`: This is a list of namespaces where the + workflow controller will manage workflows. Only valid when `singleNamespace` + is false. + +### General parameters + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| apiVersionOverrides.autoscaling | string | `""` | String to override apiVersion of autoscaling rendered by this helm chart | +| apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart | +| apiVersionOverrides.monitoring | string | `""` | String to override apiVersion of monitoring CRDs (ServiceMonitor) rendered by this helm chart | +| commonLabels | object | `{}` | Labels to set on all resources | +| crds.annotations | object | `{}` | Annotations to be added to all CRDs | +| crds.install | bool | `true` | Install and upgrade CRDs | +| crds.keep | bool | `true` | Keep CRDs on chart uninstall | +| createAggregateRoles | bool | `true` | Create clusterroles that extend existing clusterroles to interact with argo-cd crds | +| emissary.images | list | `[]` | The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used. | +| extraObjects | list | `[]` | Array of extra K8s manifests to deploy | +| fullnameOverride | string | `nil` | String to fully override "argo-workflows.fullname" template | +| images.pullPolicy | string | `"Always"` | imagePullPolicy to apply to all containers | +| images.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry | +| images.tag | string | `""` | Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`. | +| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests | +| nameOverride | string | `nil` | String to partially override "argo-workflows.fullname" template | +| namespaceOverride | string | `.Release.Namespace` | Override the namespace | +| singleNamespace | bool | `false` | Restrict Argo to operate only in a single namespace (the namespace of the Helm release) by apply Roles and RoleBindings instead of the Cluster equivalents, and start workflow-controller with the --namespaced flag. Use it in clusters with strict access policy. | + +### Workflow + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| workflow.namespace | string | `nil` | Deprecated; use controller.workflowNamespaces instead. | +| workflow.rbac.agentPermissions | bool | `false` | Allows permissions for the Argo Agent. Only required if using http/plugin templates | +| workflow.rbac.artifactGC | bool | `false` | Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc | +| workflow.rbac.create | bool | `true` | Adds Role and RoleBinding for the above specified service account to be able to run workflows. A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) | +| workflow.rbac.serviceAccounts | list | `[]` | Extra service accounts to be added to the RoleBinding | +| workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | +| workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created | +| workflow.serviceAccount.labels | object | `{}` | Labels applied to created service account | +| workflow.serviceAccount.name | string | `"argo-workflow"` | Service account which is used to run workflows | +| workflow.serviceAccount.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets` | + +### Workflow Controller + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| controller.affinity | object | `{}` | Assign custom [affinity] rules | +| controller.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. | +| controller.clusterWorkflowTemplates.serviceAccounts | list | `[]` | Extra service accounts to be added to the ClusterRoleBinding | +| controller.columns | list | `[]` | Configure Argo Server to show custom [columns] | +| controller.configMap.annotations | object | `{}` | ConfigMap annotations | +| controller.configMap.create | bool | `true` | Create a ConfigMap for the controller | +| controller.configMap.name | string | `""` | ConfigMap name | +| controller.cronWorkflowWorkers | string | `nil` | Number of cron workflow workers Only valid for 3.5+ | +| controller.deploymentAnnotations | object | `{}` | deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment | +| controller.extraArgs | list | `[]` | Extra arguments to be added to the controller | +| controller.extraContainers | list | `[]` | Extra containers to be added to the controller deployment | +| controller.extraEnv | list | `[]` | Extra environment variables to provide to the controller container | +| controller.extraInitContainers | list | `[]` | Enables init containers to be added to the controller deployment | +| controller.image.registry | string | `"quay.io"` | Registry to use for the controller | +| controller.image.repository | string | `"argoproj/workflow-controller"` | Registry to use for the controller | +| controller.image.tag | string | `""` | Image tag for the workflow controller. Defaults to `.Values.images.tag`. | +| controller.initialDelay | string | `nil` | Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224 | +| controller.instanceID.enabled | bool | `false` | Configures the controller to filter workflow submissions to only those which have a matching instanceID attribute. | +| controller.instanceID.explicitID | string | `""` | Use a custom instanceID | +| controller.instanceID.useReleaseName | bool | `false` | Use ReleaseName as instanceID | +| controller.kubeConfig | object | `{}` (See [values.yaml]) | Configure when workflow controller runs in a different k8s cluster with the workflow workloads, or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret. | +| controller.links | list | `[]` | Configure Argo Server to show custom [links] | +| controller.livenessProbe | object | See [values.yaml] | Configure liveness [probe] for the controller | +| controller.loadBalancerClass | string | `""` | The class of the load balancer implementation | +| controller.loadBalancerSourceRanges | list | `[]` | Source ranges to allow access to service from. Only applies to service type `LoadBalancer` | +| controller.logging.format | string | `"text"` | Set the logging format (one of: `text`, `json`) | +| controller.logging.globallevel | string | `"0"` | Set the glog logging level | +| controller.logging.level | string | `"info"` | Set the logging level (one of: `debug`, `info`, `warn`, `error`) | +| controller.metricsConfig.enabled | bool | `false` | Enables prometheus metrics server | +| controller.metricsConfig.headlessService | bool | `false` | Flag to enable headless service | +| controller.metricsConfig.honorLabels | bool | `false` | When true, honorLabels preserves the metric’s labels when they collide with the target’s labels. | +| controller.metricsConfig.ignoreErrors | bool | `false` | Flag that instructs prometheus to ignore metric emission errors. | +| controller.metricsConfig.interval | string | `"30s"` | Frequency at which prometheus scrapes metrics | +| controller.metricsConfig.metricRelabelings | list | `[]` | ServiceMonitor metric relabel configs to apply to samples before ingestion | +| controller.metricsConfig.metricsTTL | string | `""` | How often custom metrics are cleared from memory | +| controller.metricsConfig.path | string | `"/metrics"` | Path is the path where metrics are emitted. Must start with a "/". | +| controller.metricsConfig.port | int | `9090` | Port is the port where metrics are emitted | +| controller.metricsConfig.portName | string | `"metrics"` | Container metrics port name | +| controller.metricsConfig.relabelings | list | `[]` | ServiceMonitor relabel configs to apply to samples before scraping | +| controller.metricsConfig.secure | bool | `false` | Flag that use a self-signed cert for TLS | +| controller.metricsConfig.servicePort | int | `8080` | Service metrics port | +| controller.metricsConfig.servicePortName | string | `"metrics"` | Service metrics port name | +| controller.metricsConfig.targetLabels | list | `[]` | ServiceMonitor will add labels from the service to the Prometheus metric | +| controller.name | string | `"workflow-controller"` | Workflow controller name string | +| controller.namespaceParallelism | string | `nil` | Limits the maximum number of incomplete workflows in a namespace | +| controller.navColor | string | `""` | Set ui navigation bar background color | +| controller.nodeEvents.enabled | bool | `true` | Enable to emit events on node completion. | +| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | [Node selector] | +| controller.parallelism | string | `nil` | parallelism dictates how many workflows can be running at the same time | +| controller.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the controller pods | +| controller.persistence | object | `{}` | enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available. | +| controller.podAnnotations | object | `{}` | podAnnotations is an optional map of annotations to be applied to the controller Pods | +| controller.podCleanupWorkers | string | `nil` | Number of pod cleanup workers | +| controller.podGCDeleteDelayDuration | string | `5s` (Argo Workflows default) | The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately. | +| controller.podGCGracePeriodSeconds | string | `30` seconds (Kubernetes default) | Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately. | +| controller.podLabels | object | `{}` | Optional labels to add to the controller pods | +| controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods | +| controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. | +| controller.rbac.accessAllSecrets | bool | `false` | Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. | +| controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. | +| controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets | +| controller.rbac.writeConfigMaps | bool | `false` | Allows controller to create and update ConfigMaps. Enables memoization feature | +| controller.replicas | int | `1` | The number of controller pods to run | +| controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. | +| controller.resources | object | `{}` | Resource limits and requests for the controller | +| controller.retentionPolicy | object | `{}` | Workflow retention by number of workflows | +| controller.revisionHistoryLimit | int | `10` | The number of revisions to keep. | +| controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | the controller container's securityContext | +| controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | +| controller.serviceAccount.create | bool | `true` | Create a service account for the controller | +| controller.serviceAccount.labels | object | `{}` | Labels applied to created service account | +| controller.serviceAccount.name | string | `""` | Service account name | +| controller.serviceAnnotations | object | `{}` | Annotations to be applied to the controller Service | +| controller.serviceLabels | object | `{}` | Optional labels to add to the controller Service | +| controller.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| controller.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor | +| controller.serviceMonitor.namespace | string | `""` | Prometheus ServiceMonitor namespace | +| controller.serviceType | string | `"ClusterIP"` | Service type of the controller Service | +| controller.telemetryConfig.enabled | bool | `false` | Enables prometheus telemetry server | +| controller.telemetryConfig.ignoreErrors | bool | `false` | Flag that instructs prometheus to ignore metric emission errors. | +| controller.telemetryConfig.interval | string | `"30s"` | Frequency at which prometheus scrapes telemetry data | +| controller.telemetryConfig.metricsTTL | string | `""` | How often custom metrics are cleared from memory | +| controller.telemetryConfig.path | string | `"/telemetry"` | telemetry path | +| controller.telemetryConfig.port | int | `8081` | telemetry container port | +| controller.telemetryConfig.secure | bool | `false` | Flag that use a self-signed cert for TLS | +| controller.telemetryConfig.servicePort | int | `8081` | telemetry service port | +| controller.telemetryConfig.servicePortName | string | `"telemetry"` | telemetry service port name | +| controller.tolerations | list | `[]` | [Tolerations] for use with node taints | +| controller.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the workflow controller | +| controller.volumeMounts | list | `[]` | Additional volume mounts to the controller main container | +| controller.volumes | list | `[]` | Additional volumes to the controller pod | +| controller.workflowDefaults | object | `{}` | Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. Only valid for 2.7+ | +| controller.workflowEvents.enabled | bool | `true` | Enable to emit events on workflow status changes. | +| controller.workflowNamespaces | list | `["default"]` | Specify all namespaces where this workflow controller instance will manage workflows. This controls where the service account and RBAC resources will be created. Only valid when singleNamespace is false. | +| controller.workflowRestrictions | object | `{}` | Restricts the Workflows that the controller will process. Only valid for 2.9+ | +| controller.workflowTTLWorkers | string | `nil` | Number of workflow TTL workers | +| controller.workflowWorkers | string | `nil` | Number of workflow workers | + +### Workflow Main Container + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| mainContainer.env | list | `[]` | Adds environment variables for the Workflow main container | +| mainContainer.envFrom | list | `[]` | Adds reference environment variables for the Workflow main container | +| mainContainer.imagePullPolicy | string | `""` | imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`. | +| mainContainer.resources | object | `{}` | Resource limits and requests for the Workflow main container | +| mainContainer.securityContext | object | `{}` | sets security context for the Workflow main container | + +### Workflow Executor + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| executor.args | list | `[]` | Passes arguments to the executor processes | +| executor.env | list | `[]` | Adds environment variables for the executor. | +| executor.image.pullPolicy | string | `""` | Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`. | +| executor.image.registry | string | `"quay.io"` | Registry to use for the Workflow Executors | +| executor.image.repository | string | `"argoproj/argoexec"` | Repository to use for the Workflow Executors | +| executor.image.tag | string | `""` | Image tag for the workflow executor. Defaults to `.Values.images.tag`. | +| executor.resources | object | `{}` | Resource limits and requests for the Workflow Executors | +| executor.securityContext | object | `{}` | sets security context for the executor container | + +### Workflow Server + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.GKEbackendConfig.enabled | bool | `false` | Enable BackendConfig custom resource for Google Kubernetes Engine | +| server.GKEbackendConfig.spec | object | `{}` | [BackendConfigSpec] | +| server.GKEfrontendConfig.enabled | bool | `false` | Enable FrontConfig custom resource for Google Kubernetes Engine | +| server.GKEfrontendConfig.spec | object | `{}` | [FrontendConfigSpec] | +| server.GKEmanagedCertificate.domains | list | `["argoworkflows.example.com"]` | Domains for the Google Managed Certificate | +| server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. | +| server.affinity | object | `{}` | Assign custom [affinity] rules | +| server.authMode | string | `""` | Deprecated; use server.authModes instead. | +| server.authModes | list | `[]` | A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well. | +| server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. This is only available on HPA apiVersion `autoscaling/v2beta2` and newer | +| server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server | +| server.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the Argo Server [HPA] | +| server.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the Argo Server [HPA] | +| server.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the Argo Server [HPA] | +| server.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the Argo Server [HPA] | +| server.baseHref | string | `"/"` | Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. | +| server.clusterWorkflowTemplates.enableEditing | bool | `true` | Give the server permissions to edit ClusterWorkflowTemplates. | +| server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. | +| server.deploymentAnnotations | object | `{}` | optional map of annotations to be applied to the ui Deployment | +| server.enabled | bool | `true` | Deploy the Argo Server | +| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary. | +| server.extraContainers | list | `[]` | Extra containers to be added to the server deployment | +| server.extraEnv | list | `[]` | Extra environment variables to provide to the argo-server container | +| server.extraInitContainers | list | `[]` | Enables init containers to be added to the server deployment | +| server.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files | +| server.image.registry | string | `"quay.io"` | Registry to use for the server | +| server.image.repository | string | `"argoproj/argocli"` | Repository to use for the server | +| server.image.tag | string | `""` | Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`. | +| server.ingress.annotations | object | `{}` | Additional ingress annotations | +| server.ingress.enabled | bool | `false` | Enable an ingress resource | +| server.ingress.extraPaths | list | `[]` | Additional ingress paths | +| server.ingress.hosts | list | `[]` | List of ingress hosts | +| server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource | +| server.ingress.labels | object | `{}` | Additional ingress labels | +| server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` | +| server.ingress.paths | list | `["/"]` | List of ingress paths | +| server.ingress.tls | list | `[]` | Ingress TLS configuration | +| server.lifecycle | object | `{}` | Specify postStart and preStop lifecycle hooks for server container | +| server.loadBalancerClass | string | `""` | The class of the load balancer implementation | +| server.loadBalancerIP | string | `""` | Static IP address to assign to loadBalancer service type `LoadBalancer` | +| server.loadBalancerSourceRanges | list | `[]` | Source ranges to allow access to service from. Only applies to service type `LoadBalancer` | +| server.logging.format | string | `"text"` | Set the logging format (one of: `text`, `json`) | +| server.logging.globallevel | string | `"0"` | Set the glog logging level | +| server.logging.level | string | `"info"` | Set the logging level (one of: `debug`, `info`, `warn`, `error`) | +| server.name | string | `"server"` | Server name string | +| server.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | [Node selector] | +| server.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the server pods | +| server.podAnnotations | object | `{}` | optional map of annotations to be applied to the ui Pods | +| server.podLabels | object | `{}` | Optional labels to add to the UI pods | +| server.podSecurityContext | object | `{}` | SecurityContext to set on the server pods | +| server.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages | +| server.rbac.create | bool | `true` | Adds Role and RoleBinding for the server. | +| server.replicas | int | `1` | The number of server pods to run | +| server.resources | object | `{}` | Resource limits and requests for the server | +| server.revisionHistoryLimit | int | `10` | The number of revisions to keep. | +| server.secure | bool | `false` | Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs. | +| server.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true}` | Servers container-level security context | +| server.serviceAccount.annotations | object | `{}` | Annotations applied to created service account | +| server.serviceAccount.create | bool | `true` | Create a service account for the server | +| server.serviceAccount.labels | object | `{}` | Labels applied to created service account | +| server.serviceAccount.name | string | `""` | Service account name | +| server.serviceAnnotations | object | `{}` | Annotations to be applied to the UI Service | +| server.serviceLabels | object | `{}` | Optional labels to add to the UI Service | +| server.serviceNodePort | string | `nil` | Service node port | +| server.servicePort | int | `2746` | Service port for server | +| server.servicePortName | string | `""` | Service port name | +| server.serviceType | string | `"ClusterIP"` | Service type for server pods | +| server.sso.clientId.key | string | `"client-id"` | Key of secret to retrieve the app OIDC client ID | +| server.sso.clientId.name | string | `"argo-server-sso"` | Name of secret to retrieve the app OIDC client ID | +| server.sso.clientSecret.key | string | `"client-secret"` | Key of a secret to retrieve the app OIDC client secret | +| server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret | +| server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups | +| server.sso.enabled | bool | `false` | Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`. | +| server.sso.filterGroupsRegex | list | `[]` | Filter the groups returned by the OIDC provider | +| server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client | +| server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider | +| server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers | +| server.sso.rbac.enabled | bool | `true` | Adds ServiceAccount Policy to server (Cluster)Role. | +| server.sso.rbac.secretWhitelist | list | `[]` | Whitelist to allow server to fetch Secrets | +| server.sso.redirectUrl | string | `""` | The OIDC redirect URL. Should be in the form /oauth2/callback. | +| server.sso.scopes | list | `[]` | Scopes requested from the SSO ID provider | +| server.sso.sessionExpiry | string | `""` | Define how long your login is valid for (in hours) | +| server.sso.userInfoPath | string | `""` | Specify the user info endpoint that contains the groups claim | +| server.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook | +| server.tmpVolume | object | `{"emptyDir":{}}` | Volume to be mounted in Pods for temporary files. | +| server.tolerations | list | `[]` | [Tolerations] for use with node taints | +| server.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the argo server | +| server.volumeMounts | list | `[]` | Additional volume mounts to the server main container. | +| server.volumes | list | `[]` | Additional volumes to the server pod. | + +### Artifact Repository + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| artifactRepository.archiveLogs | bool | `false` | Archive the main container logs as an artifact | +| artifactRepository.azure | object | `{}` (See [values.yaml]) | Store artifact in Azure Blob Storage | +| artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store | +| artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store | +| artifactRepositoryRef | object | `{}` (See [values.yaml]) | The section of [artifact repository ref](https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/). Each map key is the name of configmap | +| customArtifactRepository | object | `{}` | The section of custom artifact repository. Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure) | +| useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) | + +## Breaking changes from the deprecated `argo` chart + +1. the `installCRD` value has been removed. CRDs are now only installed from the conventional crds/ directory +1. the CRDs were updated to `apiextensions.k8s.io/v1` +1. the container image registry/project/tag format was changed to be more in line with the more common + + ```yaml + image: + registry: quay.io + repository: argoproj/argocli + tag: v3.0.1 + ``` + + this also makes it easier for automatic update tooling (eg. renovate bot) to detect and update images. + +1. switched to quay.io as the default registry for all images +1. removed any included usage of Minio +1. aligned the configuration of serviceAccounts with the argo-cd chart, ie: what used to be `server.createServiceAccount` is now `server.serviceAccount.create` +1. moved the field previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig` + +[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom +[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters +[links]: https://argo-workflows.readthedocs.io/en/stable/links/ +[columns]: https://github.com/argoproj/argo-workflows/pull/10693 +[Node selector]: https://kubernetes.io/docs/user-guide/node-selection/ +[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +[probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +[Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +[values.yaml]: values.yaml +[changelog]: https://artifacthub.io/packages/helm/argo/argo-workflows?modal=changelog +[SSO RBAC]: https://argo-workflows.readthedocs.io/en/stable/argo-server-sso/ +[Argo Server Auth Mode]: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/ diff --git a/opencloud/charts/argo-workflows/templates/NOTES.txt b/opencloud/charts/argo-workflows/templates/NOTES.txt new file mode 100644 index 0000000..43c1c8f --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/NOTES.txt @@ -0,0 +1,11 @@ +{{- if .Values.server.authMode }} +DEPRECATED option server.authMode - Use server.authModes +{{- end }} + +1. Get Argo Server external IP/domain by running: + +kubectl --namespace {{ .Release.Namespace }} get services -o wide | grep {{ template "argo-workflows.server.fullname" . }} + +2. Submit the hello-world workflow by running: + +argo submit https://raw.githubusercontent.com/argoproj/argo-workflows/master/examples/hello-world.yaml --watch diff --git a/opencloud/charts/argo-workflows/templates/_helpers.tpl b/opencloud/charts/argo-workflows/templates/_helpers.tpl new file mode 100644 index 0000000..ebbba97 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/_helpers.tpl @@ -0,0 +1,211 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create argo workflows server name and version as used by the chart label. +*/}} +{{- define "argo-workflows.server.fullname" -}} +{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create controller name and version as used by the chart label. +*/}} +{{- define "argo-workflows.controller.fullname" -}} +{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "argo-workflows.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "argo-workflows.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "argo-workflows.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create kubernetes friendly chart version label for the controller. +Examples: +image.tag = v3.4.4 +output = v3.4.4 + +image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696 +output = v3.4.4 +*/}} +{{- define "argo-workflows.controller_chart_version_label" -}} +{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag) "") "" | trunc 63 | quote -}} +{{- end -}} + +{{/* +Create kubernetes friendly chart version label for the server. +Examples: +image.tag = v3.4.4 +output = v3.4.4 + +image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696 +output = v3.4.4 +*/}} +{{- define "argo-workflows.server_chart_version_label" -}} +{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.server.image.tag) "") "" | trunc 63 | quote -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "argo-workflows.labels" -}} +helm.sh/chart: {{ include "argo-workflows.chart" .context }} +{{ include "argo-workflows.selectorLabels" (dict "context" .context "component" .component "name" .name) }} +app.kubernetes.io/managed-by: {{ .context.Release.Service }} +app.kubernetes.io/part-of: argo-workflows +{{- with .context.Values.commonLabels }} +{{ toYaml .}} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "argo-workflows.selectorLabels" -}} +{{- if .name -}} +app.kubernetes.io/name: {{ include "argo-workflows.name" .context }}-{{ .name }} +{{ end -}} +app.kubernetes.io/instance: {{ .context.Release.Name }} +{{- if .component }} +app.kubernetes.io/component: {{ .component }} +app: {{ .component }} +{{- end }} +{{- end }} + +{{/* +Create the name of the controller configMap +*/}} +{{- define "argo-workflows.controller.config-map.name" -}} +{{- .Values.controller.configMap.name | default (printf "%s-%s" (include "argo-workflows.controller.fullname" .) "configmap") | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the server service account to use +*/}} +{{- define "argo-workflows.serverServiceAccountName" -}} +{{- if .Values.server.serviceAccount.create -}} + {{ default (include "argo-workflows.server.fullname" .) .Values.server.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.server.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the controller service account to use +*/}} +{{- define "argo-workflows.controllerServiceAccountName" -}} +{{- if .Values.controller.serviceAccount.create -}} + {{ default (include "argo-workflows.controller.fullname" .) .Values.controller.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress +*/}} +{{- define "argo-workflows.ingress.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "argo-workflows.kubeVersion" $) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "argo-workflows.kubeVersion" $) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "argo-workflows.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }} +{{- end -}} + +{{/* +Return the default Argo Workflows app version +*/}} +{{- define "argo-workflows.defaultTag" -}} + {{- default .Chart.AppVersion .Values.images.tag }} +{{- end -}} + +{{/* +Return full image name including or excluding registry based on existence +*/}} +{{- define "argo-workflows.image" -}} +{{- if and .image.registry .image.repository -}} + {{ .image.registry }}/{{ .image.repository }} +{{- else -}} + {{ .image.repository }} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for autoscaling +*/}} +{{- define "argo-workflows.apiVersion.autoscaling" -}} +{{- if .Values.apiVersionOverrides.autoscaling -}} +{{- print .Values.apiVersionOverrides.autoscaling -}} +{{- else if semverCompare "<1.23-0" (include "argo-workflows.kubeVersion" .) -}} +{{- print "autoscaling/v2beta1" -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for GKE resources +*/}} +{{- define "argo-workflows.apiVersions.cloudgoogle" -}} +{{- if .Values.apiVersionOverrides.cloudgoogle -}} +{{- print .Values.apiVersionOverrides.cloudgoogle -}} +{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}} +{{- print "cloud.google.com/v1" -}} +{{- else -}} +{{- print "cloud.google.com/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for monitoring CRDs +*/}} +{{- define "argo-workflows.apiVersions.monitoring" -}} +{{- if .Values.apiVersionOverrides.monitoring -}} +{{- print .Values.apiVersionOverrides.monitoring -}} +{{- else -}} +{{- print "monitoring.coreos.com/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Expand the namespace of the release. +Allows overriding it for multi-namespace deployments in combined charts. +*/}} +{{- define "argo-workflows.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/agent-rb.yaml b/opencloud/charts/argo-workflows/templates/controller/agent-rb.yaml new file mode 100644 index 0000000..67e4995 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/agent-rb.yaml @@ -0,0 +1,29 @@ +{{- if .Values.workflow.rbac.agentPermissions -}} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "argo-workflows.fullname" $ }}-workflow-agent + labels: + {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "argo-workflows.fullname" $ }}-workflow-agent +subjects: + - kind: ServiceAccount + name: {{ $.Values.workflow.serviceAccount.name }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} + {{- range $.Values.workflow.rbac.serviceAccounts }} + - kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/agent-role.yaml b/opencloud/charts/argo-workflows/templates/controller/agent-role.yaml new file mode 100644 index 0000000..577567b --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/agent-role.yaml @@ -0,0 +1,29 @@ +{{- if .Values.workflow.rbac.agentPermissions -}} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "argo-workflows.fullname" $ }}-workflow-agent + labels: + {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtasksets + verbs: + - list + - watch + - apiGroups: + - argoproj.io + resources: + - workflowtasksets/status + verbs: + - patch + {{- end }} + +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/artifact-gc-rb.yaml b/opencloud/charts/argo-workflows/templates/controller/artifact-gc-rb.yaml new file mode 100644 index 0000000..279b2c5 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/artifact-gc-rb.yaml @@ -0,0 +1,29 @@ +{{- if .Values.workflow.rbac.artifactGC -}} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "argo-workflows.fullname" $ }}-wf-artifactgc + labels: + {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "argo-workflows.fullname" $ }}-wf-artifactgc +subjects: + - kind: ServiceAccount + name: {{ $.Values.workflow.serviceAccount.name }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} + {{- range $.Values.workflow.rbac.serviceAccounts }} + - kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/artifact-gc-role.yaml b/opencloud/charts/argo-workflows/templates/controller/artifact-gc-role.yaml new file mode 100644 index 0000000..48218b8 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/artifact-gc-role.yaml @@ -0,0 +1,29 @@ +{{- if .Values.workflow.rbac.artifactGC -}} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "argo-workflows.fullname" $ }}-wf-artifactgc + labels: + {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} +rules: + - apiGroups: + - argoproj.io + resources: + - workflowartifactgctasks + verbs: + - list + - watch + - apiGroups: + - argoproj.io + resources: + - workflowartifactgctasks/status + verbs: + - patch + {{- end }} + +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/artifact-repository-ref-cm.yaml b/opencloud/charts/argo-workflows/templates/controller/artifact-repository-ref-cm.yaml new file mode 100644 index 0000000..81c1d0a --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/artifact-repository-ref-cm.yaml @@ -0,0 +1,19 @@ +{{- range $cm_name, $cm_val := .Values.artifactRepositoryRef }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $cm_name }} + namespace: {{ include "argo-workflows.namespace" $ | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $cm_name) | nindent 4 }} + {{- with $cm_val.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + {{- range $data_key, $data_val := (omit $cm_val "annotations") }} + {{- $data_key | nindent 2 }}: | + {{- toYaml $data_val | nindent 4 }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml new file mode 100644 index 0000000..2a407b1 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-aggregate-roles.yaml @@ -0,0 +1,107 @@ +{{- if .Values.createAggregateRoles }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "argo-workflows.fullname" . }}-view + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + - workflowartifactgctasks + - workflowartifactgctasks/finalizers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "argo-workflows.fullname" . }}-edit + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + - workflowartifactgctasks + - workflowartifactgctasks/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "argo-workflows.fullname" . }}-admin + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workfloweventbindings + - workfloweventbindings/finalizers + - workflowtemplates + - workflowtemplates/finalizers + - cronworkflows + - cronworkflows/finalizers + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowtaskresults + - workflowtaskresults/finalizers + - workflowartifactgctasks + - workflowartifactgctasks/finalizers + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml new file mode 100644 index 0000000..1e8f764 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml @@ -0,0 +1,220 @@ +{{- if .Values.controller.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + {{- if .Values.singleNamespace }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + {{- end }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - watch + - list + {{- if .Values.controller.rbac.writeConfigMaps }} + - create + - update + {{- end}} +- apiGroups: + - "" + resources: + - persistentvolumeclaims + - persistentvolumeclaims/finalizers + verbs: + - create + - update + - delete + - get +- apiGroups: + - argoproj.io + resources: + - workflows + - workflows/finalizers + - workflowtasksets + - workflowtasksets/finalizers + - workflowartifactgctasks + verbs: + - get + - list + - watch + - update + - patch + - delete + - create +- apiGroups: + - argoproj.io + resources: + - workflowtemplates + - workflowtemplates/finalizers + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflowtaskresults + - workflowtaskresults/finalizers + verbs: + - list + - watch + - deletecollection +- apiGroups: + - argoproj.io + resources: + - cronworkflows + - cronworkflows/finalizers + verbs: + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list +- apiGroups: + - "policy" + resources: + - poddisruptionbudgets + verbs: + - create + - get + - delete +{{- if .Values.controller.persistence }} +- apiGroups: + - "" + resources: + - secrets + resourceNames: + {{- if .Values.controller.persistence.postgresql }} + - {{ .Values.controller.persistence.postgresql.userNameSecret.name }} + - {{ .Values.controller.persistence.postgresql.passwordSecret.name }} + {{- end}} + {{- if .Values.controller.persistence.mysql }} + - {{ .Values.controller.persistence.mysql.userNameSecret.name }} + - {{ .Values.controller.persistence.mysql.passwordSecret.name }} + {{- end}} + verbs: + - get +{{- end}} +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + {{- if .Values.controller.instanceID.enabled }} + {{- if .Values.controller.instanceID.useReleaseName }} + - workflow-controller-{{ .Release.Name }} + - workflow-controller-lease-{{ .Release.Name }} + {{- else }} + - workflow-controller-{{ .Values.controller.instanceID.explicitID }} + - workflow-controller-lease-{{ .Values.controller.instanceID.explicitID }} + {{- end }} + {{- else }} + - workflow-controller + - workflow-controller-lease + {{- end }} + verbs: + - get + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + resourceNames: + {{/* for HTTP templates */}} + - argo-workflows-agent-ca-certificates +{{- with .Values.controller.rbac.secretWhitelist }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + resourceNames: {{- toYaml . | nindent 4 }} +{{- end }} +{{- if and (not .Values.controller.rbac.secretWhitelist) (.Values.controller.rbac.accessAllSecrets) }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +{{- end }} + +{{- if and .Values.controller.clusterWorkflowTemplates.enabled (not .Values.singleNamespace) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +rules: +- apiGroups: + - argoproj.io + resources: + - clusterworkflowtemplates + - clusterworkflowtemplates/finalizers + verbs: + - get + - list + - watch +{{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml new file mode 100644 index 0000000..4961676 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-config-map.yaml @@ -0,0 +1,214 @@ +{{- if .Values.controller.configMap.create }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "argo-workflows.controller.config-map.name" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" "cm") | nindent 4 }} + {{- with .Values.controller.configMap.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + config: | + {{- if .Values.controller.instanceID.enabled }} + {{- if .Values.controller.instanceID.useReleaseName }} + instanceID: {{ .Release.Name }} + {{- else }} + instanceID: {{ .Values.controller.instanceID.explicitID }} + {{- end }} + {{- end }} + {{- if .Values.controller.parallelism }} + parallelism: {{ .Values.controller.parallelism }} + {{- end }} + {{- if .Values.controller.resourceRateLimit }} + resourceRateLimit: {{- toYaml .Values.controller.resourceRateLimit | nindent 6 }} + {{- end }} + {{- with .Values.controller.namespaceParallelism }} + namespaceParallelism: {{ . }} + {{- end }} + {{- with .Values.controller.initialDelay }} + initialDelay: {{ . }} + {{- end }} + {{- if or .Values.mainContainer.resources .Values.mainContainer.env .Values.mainContainer.envFrom .Values.mainContainer.securityContext}} + mainContainer: + imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.mainContainer.imagePullPolicy }} + {{- with .Values.mainContainer.resources }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.mainContainer.env }} + env: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.mainContainer.envFrom }} + envFrom: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.mainContainer.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.executor.resources .Values.executor.env .Values.executor.args .Values.executor.securityContext}} + executor: + imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.executor.image.pullPolicy }} + {{- with .Values.executor.resources }} + resources: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.executor.args }} + args: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.executor.env }} + env: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.executor.securityContext }} + securityContext: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- if or .Values.artifactRepository.s3 .Values.artifactRepository.gcs .Values.artifactRepository.azure .Values.customArtifactRepository }} + artifactRepository: + {{- if .Values.artifactRepository.archiveLogs }} + archiveLogs: {{ .Values.artifactRepository.archiveLogs }} + {{- end }} + {{- with .Values.artifactRepository.gcs }} + gcs: {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.artifactRepository.azure }} + azure: {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- if .Values.artifactRepository.s3 }} + s3: + {{- if .Values.useStaticCredentials }} + accessKeySecret: + key: {{ tpl .Values.artifactRepository.s3.accessKeySecret.key . }} + name: {{ tpl .Values.artifactRepository.s3.accessKeySecret.name . }} + secretKeySecret: + key: {{ tpl .Values.artifactRepository.s3.secretKeySecret.key . }} + name: {{ tpl .Values.artifactRepository.s3.secretKeySecret.name . }} + {{- if .Values.artifactRepository.s3.sessionTokenSecret }} + sessionTokenSecret: + key: {{ tpl .Values.artifactRepository.s3.sessionTokenSecret.key . }} + name: {{ tpl .Values.artifactRepository.s3.sessionTokenSecret.name . }} + {{- end }} + {{- end }} + bucket: {{ tpl (.Values.artifactRepository.s3.bucket | default "") . }} + endpoint: {{ tpl (.Values.artifactRepository.s3.endpoint | default "") . }} + insecure: {{ .Values.artifactRepository.s3.insecure }} + {{- if .Values.artifactRepository.s3.caSecret }} + caSecret: + name: {{ tpl .Values.artifactRepository.s3.caSecret.name . }} + key: {{ tpl .Values.artifactRepository.s3.caSecret.key . }} + {{- end }} + {{- if .Values.artifactRepository.s3.keyFormat }} + keyFormat: {{ .Values.artifactRepository.s3.keyFormat | quote }} + {{- end }} + {{- if .Values.artifactRepository.s3.region }} + region: {{ tpl .Values.artifactRepository.s3.region $ }} + {{- end }} + {{- if .Values.artifactRepository.s3.roleARN }} + roleARN: {{ .Values.artifactRepository.s3.roleARN }} + {{- end }} + {{- if .Values.artifactRepository.s3.useSDKCreds }} + useSDKCreds: {{ .Values.artifactRepository.s3.useSDKCreds }} + {{- end }} + {{- with .Values.artifactRepository.s3.encryptionOptions }} + encryptionOptions: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- if .Values.customArtifactRepository }} + {{- toYaml .Values.customArtifactRepository | nindent 6 }} + {{- end }} + {{- end }} + {{- if .Values.controller.metricsConfig.enabled }} + metricsConfig: + enabled: {{ .Values.controller.metricsConfig.enabled }} + path: {{ .Values.controller.metricsConfig.path }} + port: {{ .Values.controller.metricsConfig.port }} + {{- if .Values.controller.metricsConfig.metricsTTL }} + metricsTTL: {{ .Values.controller.metricsConfig.metricsTTL }} + {{- end }} + ignoreErrors: {{ .Values.controller.metricsConfig.ignoreErrors }} + secure: {{ .Values.controller.metricsConfig.secure }} + {{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + telemetryConfig: + enabled: {{ .Values.controller.telemetryConfig.enabled }} + path: {{ .Values.controller.telemetryConfig.path }} + port: {{ .Values.controller.telemetryConfig.port }} + {{- if .Values.controller.telemetryConfig.metricsTTL }} + metricsTTL: {{ .Values.controller.telemetryConfig.metricsTTL }} + {{- end }} + ignoreErrors: {{ .Values.controller.telemetryConfig.ignoreErrors }} + secure: {{ .Values.controller.telemetryConfig.secure }} + {{- end }} + {{- if .Values.controller.persistence }} + persistence: +{{ toYaml .Values.controller.persistence | indent 6 }}{{- end }} + {{- if .Values.controller.workflowDefaults }} + workflowDefaults: +{{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }} + {{- if .Values.server.sso.enabled }} + sso: + issuer: {{ .Values.server.sso.issuer }} + clientId: + name: {{ .Values.server.sso.clientId.name }} + key: {{ .Values.server.sso.clientId.key }} + clientSecret: + name: {{ .Values.server.sso.clientSecret.name }} + key: {{ .Values.server.sso.clientSecret.key }} + redirectUrl: {{ .Values.server.sso.redirectUrl | quote }} + rbac: + enabled: {{ .Values.server.sso.rbac.enabled }} + {{- with .Values.server.sso.scopes }} + scopes: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.sso.issuerAlias }} + issuerAlias: {{ toYaml . }} + {{- end }} + {{- with .Values.server.sso.sessionExpiry }} + sessionExpiry: {{ toYaml . }} + {{- end }} + {{- with .Values.server.sso.customGroupClaimName }} + customGroupClaimName: {{ toYaml . }} + {{- end }} + {{- with .Values.server.sso.userInfoPath }} + userInfoPath: {{ toYaml . }} + {{- end }} + {{- with .Values.server.sso.insecureSkipVerify }} + insecureSkipVerify: {{ toYaml . }} + {{- end }} + {{- with .Values.server.sso.filterGroupsRegex }} + filterGroupsRegex: {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- with .Values.controller.workflowRestrictions }} + workflowRestrictions: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.controller.links }} + links: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.controller.columns }} + columns: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.controller.navColor }} + navColor: {{ . }} + {{- end }} + {{- with .Values.controller.retentionPolicy }} + retentionPolicy: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.emissary.images }} + images: {{- toYaml . | nindent 6 }} + {{- end }} + nodeEvents: + enabled: {{ .Values.controller.nodeEvents.enabled }} + workflowEvents: + enabled: {{ .Values.controller.workflowEvents.enabled }} + {{- with .Values.controller.kubeConfig }} + kubeConfig: {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.controller.podGCGracePeriodSeconds }} + podGCGracePeriodSeconds: {{ . }} + {{- end }} + {{- with .Values.controller.podGCDeleteDelayDuration }} + podGCDeleteDelayDuration: {{ . }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml new file mode 100644 index 0000000..93e0557 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-crb.yaml @@ -0,0 +1,50 @@ +{{- if .Values.controller.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: RoleBinding +{{ else }} +kind: ClusterRoleBinding +{{- end }} +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + {{- if .Values.singleNamespace }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + {{- end }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{ else }} + kind: ClusterRole + {{- end }} + name: {{ template "argo-workflows.controller.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "argo-workflows.controllerServiceAccountName" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + +{{- if .Values.controller.clusterWorkflowTemplates.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template +subjects: + - kind: ServiceAccount + name: {{ template "argo-workflows.controllerServiceAccountName" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} +{{- range .Values.controller.clusterWorkflowTemplates.serviceAccounts }} + - kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml new file mode 100644 index 0000000..bee7c19 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml @@ -0,0 +1,20 @@ +{{- if .Values.controller.pdb.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} +spec: + {{- if .Values.controller.pdb.minAvailable }} + minAvailable: {{ .Values.controller.pdb.minAvailable }} + {{- else if .Values.controller.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.controller.pdb.maxUnavailable }} + {{- else }} + minAvailable: 0 + {{- end }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml new file mode 100644 index 0000000..b3db5f4 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-deployment.yaml @@ -0,0 +1,146 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }} + {{- with .Values.controller.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.controller.replicas }} + revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} + template: + metadata: + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }} + app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }} + {{- with.Values.controller.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "argo-workflows.controllerServiceAccountName" . }} + {{- with .Values.controller.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.extraInitContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + containers: + - name: controller + image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.controller.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag }}" + imagePullPolicy: {{ .Values.images.pullPolicy }} + command: [ "workflow-controller" ] + args: + - "--configmap" + - "{{ template "argo-workflows.controller.config-map.name" . }}" + - "--executor-image" + - "{{- include "argo-workflows.image" (dict "context" . "image" .Values.executor.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.executor.image.tag }}" + - "--loglevel" + - "{{ .Values.controller.logging.level }}" + - "--gloglevel" + - "{{ .Values.controller.logging.globallevel }}" + - "--log-format" + - "{{ .Values.controller.logging.format }}" + {{- if .Values.singleNamespace }} + - "--namespaced" + {{- end }} + {{- with .Values.controller.workflowWorkers }} + - "--workflow-workers" + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.workflowTTLWorkers }} + - "--workflow-ttl-workers" + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.podCleanupWorkers }} + - "--pod-cleanup-workers" + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.cronWorkflowWorkers }} + - "--cron-workflow-workers" + - {{ . | quote }} + {{- end }} + {{- with .Values.controller.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + securityContext: + {{- toYaml .Values.controller.securityContext | nindent 12 }} + env: + - name: ARGO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: LEADER_ELECTION_IDENTITY + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + {{- if eq (int .Values.controller.replicas) 1 }} + - name: LEADER_ELECTION_DISABLE + value: "true" + {{- end }} + {{- with .Values.controller.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.controller.resources | nindent 12 }} + {{- with .Values.controller.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 10 }} + {{- end }} + ports: + - name: {{ .Values.controller.metricsConfig.portName }} + containerPort: {{ .Values.controller.metricsConfig.port }} + - containerPort: 6060 + livenessProbe: {{ .Values.controller.livenessProbe | toYaml | nindent 12 }} + {{- with .Values.controller.extraContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.volumes }} + volumes: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.controller.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $constraint := . }} + - {{ toYaml $constraint | nindent 8 | trim }} + {{- if not $constraint.labelSelector }} + labelSelector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.controller.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml new file mode 100644 index 0000000..fd1db89 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-sa.yaml @@ -0,0 +1,16 @@ +{{- if .Values.controller.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "argo-workflows.controllerServiceAccountName" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + {{- with .Values.controller.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{ with .Values.controller.serviceAccount.annotations }} + annotations: + {{- toYaml .| nindent 4 }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-controller-service.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-service.yaml new file mode 100644 index 0000000..4a1290b --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-service.yaml @@ -0,0 +1,47 @@ +{{- if or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }} + {{- with .Values.controller.serviceLabels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.controller.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4}} + {{- end }} +spec: + ports: + {{- if .Values.controller.metricsConfig.enabled }} + - name: {{ .Values.controller.metricsConfig.servicePortName }} + port: {{ .Values.controller.metricsConfig.servicePort }} + protocol: TCP + targetPort: {{ .Values.controller.metricsConfig.port }} + {{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + - name: {{ .Values.controller.telemetryConfig.servicePortName }} + port: {{ .Values.controller.telemetryConfig.servicePort }} + protocol: TCP + targetPort: {{ .Values.controller.telemetryConfig.port }} + {{- end }} + selector: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 4 }} + sessionAffinity: None + type: {{ .Values.controller.serviceType }} + {{- if and (eq .Values.controller.serviceType "ClusterIP") .Values.controller.metricsConfig.headlessService }} + clusterIP: None + {{- end }} + {{- if eq .Values.controller.serviceType "LoadBalancer" }} + {{- with .Values.controller.loadBalancerClass }} + loadBalancerClass: {{ . }} + {{- end }} + {{- if .Values.controller.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.controller.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml new file mode 100644 index 0000000..46fd18d --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml @@ -0,0 +1,53 @@ +{{- $apiVersion := include "argo-workflows.apiVersions.monitoring" . }} +{{- if and (.Capabilities.APIVersions.Has $apiVersion) (or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled) .Values.controller.serviceMonitor.enabled }} +apiVersion: {{ $apiVersion }} +kind: ServiceMonitor +metadata: + name: {{ template "argo-workflows.controller.fullname" . }} + namespace: {{ default (include "argo-workflows.namespace" .) .Values.controller.serviceMonitor.namespace | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }} + {{- with .Values.controller.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + {{- if .Values.controller.metricsConfig.enabled }} + - port: {{ .Values.controller.metricsConfig.servicePortName }} + path: {{ .Values.controller.metricsConfig.path }} + interval: {{ .Values.controller.metricsConfig.interval }} + {{- with .Values.controller.metricsConfig.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.metricsConfig.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + honorLabels: {{ .Values.controller.metricsConfig.honorLabels }} + {{- end }} + {{- if .Values.controller.telemetryConfig.enabled }} + - port: telemetry + path: {{ .Values.controller.telemetryConfig.path }} + interval: {{ .Values.controller.telemetryConfig.interval }} + {{- with .Values.controller.metricsConfig.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controller.metricsConfig.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + honorLabels: {{ .Values.controller.metricsConfig.honorLabels }} + {{- end }} + {{- with .Values.controller.metricsConfig.targetLabels }} + targetLabels: + {{- toYaml . | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "argo-workflows.namespace" . | quote }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-rb.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-rb.yaml new file mode 100644 index 0000000..d1d0e32 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-rb.yaml @@ -0,0 +1,29 @@ +{{- if .Values.workflow.rbac.create -}} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "argo-workflows.fullname" $ }}-workflow + labels: + {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "argo-workflows.fullname" $ }}-workflow +subjects: + - kind: ServiceAccount + name: {{ $.Values.workflow.serviceAccount.name }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} + {{- range $.Values.workflow.rbac.serviceAccounts }} + - kind: ServiceAccount + name: {{ .name }} + namespace: {{ .namespace | quote }} + {{- end }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-role.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-role.yaml new file mode 100644 index 0000000..81c2004 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-role.yaml @@ -0,0 +1,23 @@ +{{- if .Values.workflow.rbac.create -}} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "argo-workflows.fullname" $ }}-workflow + labels: + {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} +rules: + - apiGroups: + - argoproj.io + resources: + - workflowtaskresults + verbs: + - create + - patch + {{- end }} + +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/controller/workflow-sa.yaml b/opencloud/charts/argo-workflows/templates/controller/workflow-sa.yaml new file mode 100644 index 0000000..c6fff69 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/controller/workflow-sa.yaml @@ -0,0 +1,25 @@ +{{- if .Values.workflow.serviceAccount.create -}} + {{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace (include "argo-workflows.namespace" .)) | uniq) }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $.Values.workflow.serviceAccount.name }} + labels: + {{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }} + {{- with $.Values.workflow.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $namespace }} + namespace: {{ . }} + {{- end }} + {{- with $.Values.workflow.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.workflow.serviceAccount.pullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/crds/argoproj.io_clusterworkflowtemplates.yaml b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_clusterworkflowtemplates.yaml new file mode 100644 index 0000000..9264eab --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_clusterworkflowtemplates.yaml @@ -0,0 +1,47 @@ +{{- if .Values.crds.install }} +{{- if or (.Values.server.clusterWorkflowTemplates.enabled) (.Values.controller.clusterWorkflowTemplates.enabled) }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterworkflowtemplates.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + group: argoproj.io + names: + kind: ClusterWorkflowTemplate + listKind: ClusterWorkflowTemplateList + plural: clusterworkflowtemplates + shortNames: + - clusterwftmpl + - cwft + singular: clusterworkflowtemplate + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true +{{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/crds/argoproj.io_cronworkflows.yaml b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_cronworkflows.yaml new file mode 100644 index 0000000..7b932d8 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_cronworkflows.yaml @@ -0,0 +1,49 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: cronworkflows.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + group: argoproj.io + names: + kind: CronWorkflow + listKind: CronWorkflowList + plural: cronworkflows + shortNames: + - cwf + - cronwf + singular: cronworkflow + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowartifactgctasks.yaml b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowartifactgctasks.yaml new file mode 100644 index 0000000..6a47471 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowartifactgctasks.yaml @@ -0,0 +1,1146 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowartifactgctasks.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + group: argoproj.io + names: + kind: WorkflowArtifactGCTask + listKind: WorkflowArtifactGCTaskList + plural: workflowartifactgctasks + shortNames: + - wfat + singular: workflowartifactgctask + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + artifactsByNode: + additionalProperties: + properties: + archiveLocation: + properties: + archiveLogs: + type: boolean + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - url + type: object + azure: + properties: + accountKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + blob: + type: string + container: + type: string + endpoint: + type: string + useSDKCreds: + type: boolean + required: + - blob + - container + - endpoint + type: object + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - key + type: object + git: + properties: + branch: + type: string + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + insecureSkipTLS: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + repo: + type: string + revision: + type: string + singleBranch: + type: boolean + sshPrivateKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - repo + type: object + hdfs: + properties: + addresses: + items: + type: string + type: array + dataTransferProtection: + type: string + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbConfigConfigMap: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbKeytabSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + auth: + properties: + basicAuth: + properties: + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientCert: + properties: + clientCertSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + clientKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + oauth2: + properties: + clientIDSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + clientSecretSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + items: + properties: + key: + type: string + value: + type: string + required: + - key + type: object + type: array + scopes: + items: + type: string + type: array + tokenURLSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + securityToken: + type: string + useSDKCreds: + type: boolean + required: + - key + type: object + raw: + properties: + data: + type: string + required: + - data + type: object + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + type: string + caSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sessionTokenSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + useSDKCreds: + type: boolean + type: object + type: object + artifacts: + additionalProperties: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactGC: + properties: + podMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + serviceAccountName: + type: string + strategy: + enum: + - "" + - OnWorkflowCompletion + - OnWorkflowDeletion + - Never + type: string + type: object + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - url + type: object + azure: + properties: + accountKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + blob: + type: string + container: + type: string + endpoint: + type: string + useSDKCreds: + type: boolean + required: + - blob + - container + - endpoint + type: object + deleted: + type: boolean + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - key + type: object + git: + properties: + branch: + type: string + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + insecureSkipTLS: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + repo: + type: string + revision: + type: string + singleBranch: + type: boolean + sshPrivateKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + dataTransferProtection: + type: string + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbConfigConfigMap: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbKeytabSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + auth: + properties: + basicAuth: + properties: + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientCert: + properties: + clientCertSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + clientKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + oauth2: + properties: + clientIDSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + clientSecretSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + items: + properties: + key: + type: string + value: + type: string + required: + - key + type: object + type: array + scopes: + items: + type: string + type: array + tokenURLSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + securityToken: + type: string + useSDKCreds: + type: boolean + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + type: string + caSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sessionTokenSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: object + type: object + type: object + type: object + status: + properties: + artifactResultsByNode: + additionalProperties: + properties: + artifactResults: + additionalProperties: + properties: + error: + type: string + name: + type: string + success: + type: boolean + required: + - name + type: object + type: object + type: object + type: object + type: object + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workfloweventbindings.yaml b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workfloweventbindings.yaml new file mode 100644 index 0000000..f11df95 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workfloweventbindings.yaml @@ -0,0 +1,690 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workfloweventbindings.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + group: argoproj.io + names: + kind: WorkflowEventBinding + listKind: WorkflowEventBindingList + plural: workfloweventbindings + shortNames: + - wfeb + singular: workfloweventbinding + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + event: + properties: + selector: + type: string + required: + - selector + type: object + submit: + properties: + arguments: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactGC: + properties: + podMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + serviceAccountName: + type: string + strategy: + enum: + - "" + - OnWorkflowCompletion + - OnWorkflowDeletion + - Never + type: string + type: object + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - url + type: object + azure: + properties: + accountKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + blob: + type: string + container: + type: string + endpoint: + type: string + useSDKCreds: + type: boolean + required: + - blob + - container + - endpoint + type: object + deleted: + type: boolean + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - key + type: object + git: + properties: + branch: + type: string + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + insecureSkipTLS: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + repo: + type: string + revision: + type: string + singleBranch: + type: boolean + sshPrivateKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + dataTransferProtection: + type: string + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbConfigConfigMap: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbKeytabSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + auth: + properties: + basicAuth: + properties: + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientCert: + properties: + clientCertSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + clientKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + oauth2: + properties: + clientIDSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + clientSecretSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + items: + properties: + key: + type: string + value: + type: string + required: + - key + type: object + type: array + scopes: + items: + type: string + type: array + tokenURLSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + securityToken: + type: string + useSDKCreds: + type: boolean + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + type: string + caSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sessionTokenSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: + type: string + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + type: object + metadata: + type: object + workflowTemplateRef: + properties: + clusterScope: + type: boolean + name: + type: string + type: object + required: + - workflowTemplateRef + type: object + required: + - event + type: object + required: + - metadata + - spec + type: object + served: true + storage: true +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflows.yaml b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflows.yaml new file mode 100644 index 0000000..85b71f9 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflows.yaml @@ -0,0 +1,64 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflows.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + group: argoproj.io + names: + kind: Workflow + listKind: WorkflowList + plural: workflows + shortNames: + - wf + singular: workflow + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Status of the workflow + jsonPath: .status.phase + name: Status + type: string + - description: When the workflow was started + format: date-time + jsonPath: .status.startedAt + name: Age + type: date + - description: Human readable message indicating details about why the workflow + is in this condition. + jsonPath: .status.message + name: Message + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: {} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml new file mode 100644 index 0000000..02f3f08 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml @@ -0,0 +1,671 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowtaskresults.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + group: argoproj.io + names: + kind: WorkflowTaskResult + listKind: WorkflowTaskResultList + plural: workflowtaskresults + singular: workflowtaskresult + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + message: + type: string + metadata: + type: object + outputs: + properties: + artifacts: + items: + properties: + archive: + properties: + none: + type: object + tar: + properties: + compressionLevel: + format: int32 + type: integer + type: object + zip: + type: object + type: object + archiveLogs: + type: boolean + artifactGC: + properties: + podMetadata: + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + serviceAccountName: + type: string + strategy: + enum: + - "" + - OnWorkflowCompletion + - OnWorkflowDeletion + - Never + type: string + type: object + artifactory: + properties: + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + url: + type: string + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - url + type: object + azure: + properties: + accountKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + blob: + type: string + container: + type: string + endpoint: + type: string + useSDKCreds: + type: boolean + required: + - blob + - container + - endpoint + type: object + deleted: + type: boolean + from: + type: string + fromExpression: + type: string + gcs: + properties: + bucket: + type: string + key: + type: string + serviceAccountKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - key + type: object + git: + properties: + branch: + type: string + depth: + format: int64 + type: integer + disableSubmodules: + type: boolean + fetch: + items: + type: string + type: array + insecureIgnoreHostKey: + type: boolean + insecureSkipTLS: + type: boolean + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + repo: + type: string + revision: + type: string + singleBranch: + type: boolean + sshPrivateKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + required: + - repo + type: object + globalName: + type: string + hdfs: + properties: + addresses: + items: + type: string + type: array + dataTransferProtection: + type: string + force: + type: boolean + hdfsUser: + type: string + krbCCacheSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbConfigConfigMap: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbKeytabSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + krbRealm: + type: string + krbServicePrincipalName: + type: string + krbUsername: + type: string + path: + type: string + required: + - path + type: object + http: + properties: + auth: + properties: + basicAuth: + properties: + passwordSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + usernameSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + clientCert: + properties: + clientCertSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + clientKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + oauth2: + properties: + clientIDSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + clientSecretSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + endpointParams: + items: + properties: + key: + type: string + value: + type: string + required: + - key + type: object + type: array + scopes: + items: + type: string + type: array + tokenURLSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + type: object + headers: + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + url: + type: string + required: + - url + type: object + mode: + format: int32 + type: integer + name: + type: string + optional: + type: boolean + oss: + properties: + accessKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + type: string + createBucketIfNotPresent: + type: boolean + endpoint: + type: string + key: + type: string + lifecycleRule: + properties: + markDeletionAfterDays: + format: int32 + type: integer + markInfrequentAccessAfterDays: + format: int32 + type: integer + type: object + secretKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + securityToken: + type: string + useSDKCreds: + type: boolean + required: + - key + type: object + path: + type: string + raw: + properties: + data: + type: string + required: + - data + type: object + recurseMode: + type: boolean + s3: + properties: + accessKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + bucket: + type: string + caSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + createBucketIfNotPresent: + properties: + objectLocking: + type: boolean + type: object + encryptionOptions: + properties: + enableEncryption: + type: boolean + kmsEncryptionContext: + type: string + kmsKeyId: + type: string + serverSideCustomerKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + type: object + endpoint: + type: string + insecure: + type: boolean + key: + type: string + region: + type: string + roleARN: + type: string + secretKeySecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + sessionTokenSecret: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + useSDKCreds: + type: boolean + type: object + subPath: + type: string + required: + - name + type: object + type: array + exitCode: + type: string + parameters: + items: + properties: + default: + type: string + description: + type: string + enum: + items: + type: string + type: array + globalName: + type: string + name: + type: string + value: + type: string + valueFrom: + properties: + configMapKeyRef: + properties: + key: + type: string + name: + default: "" + type: string + optional: + type: boolean + required: + - key + type: object + x-kubernetes-map-type: atomic + default: + type: string + event: + type: string + expression: + type: string + jqFilter: + type: string + jsonPath: + type: string + parameter: + type: string + path: + type: string + supplied: + type: object + type: object + required: + - name + type: object + type: array + result: + type: string + type: object + phase: + type: string + progress: + type: string + required: + - metadata + type: object + served: true + storage: true +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtasksets.yaml b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtasksets.yaml new file mode 100644 index 0000000..7469294 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtasksets.yaml @@ -0,0 +1,50 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowtasksets.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + group: argoproj.io + names: + kind: WorkflowTaskSet + listKind: WorkflowTaskSetList + plural: workflowtasksets + shortNames: + - wfts + singular: workflowtaskset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + status: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true + subresources: + status: {} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtemplates.yaml b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtemplates.yaml new file mode 100644 index 0000000..810e6f5 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/crds/argoproj.io_workflowtemplates.yaml @@ -0,0 +1,44 @@ +{{- if .Values.crds.install }} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: workflowtemplates.argoproj.io + annotations: + {{- if .Values.crds.keep }} + "helm.sh/resource-policy": keep + {{- end }} + {{- with .Values.crds.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + group: argoproj.io + names: + kind: WorkflowTemplate + listKind: WorkflowTemplateList + plural: workflowtemplates + shortNames: + - wftmpl + singular: workflowtemplate + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + type: string + kind: + type: string + metadata: + type: object + spec: + type: object + x-kubernetes-map-type: atomic + x-kubernetes-preserve-unknown-fields: true + required: + - metadata + - spec + type: object + served: true + storage: true +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/extra-manifests.yaml b/opencloud/charts/argo-workflows/templates/extra-manifests.yaml new file mode 100644 index 0000000..fc9a76b --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/extra-manifests.yaml @@ -0,0 +1,8 @@ +{{ range .Values.extraObjects }} +--- +{{ if typeIs "string" . }} + {{- tpl . $ }} +{{- else }} + {{- tpl (toYaml .) $ }} +{{- end }} +{{ end }} diff --git a/opencloud/charts/argo-workflows/templates/server/gke/backendconfig.yaml b/opencloud/charts/argo-workflows/templates/server/gke/backendconfig.yaml new file mode 100644 index 0000000..0d439b6 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/gke/backendconfig.yaml @@ -0,0 +1,11 @@ +{{- if .Values.server.GKEbackendConfig.enabled }} +apiVersion: {{ include "argo-workflows.apiVersions.cloudgoogle" . }} +kind: BackendConfig +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +spec: + {{- toYaml .Values.server.GKEbackendConfig.spec | nindent 2 }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/server/gke/frontendconfig.yaml b/opencloud/charts/argo-workflows/templates/server/gke/frontendconfig.yaml new file mode 100644 index 0000000..32cfc3a --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/gke/frontendconfig.yaml @@ -0,0 +1,11 @@ +{{- if .Values.server.GKEfrontendConfig.enabled }} +apiVersion: networking.gke.io/v1beta1 +kind: FrontendConfig +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +spec: + {{- toYaml .Values.server.GKEfrontendConfig.spec | nindent 2 }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/server/gke/managedcertificate.yaml b/opencloud/charts/argo-workflows/templates/server/gke/managedcertificate.yaml new file mode 100644 index 0000000..4d1f840 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/gke/managedcertificate.yaml @@ -0,0 +1,12 @@ +{{- if .Values.server.GKEmanagedCertificate.enabled }} +apiVersion: networking.gke.io/v1 +kind: ManagedCertificate +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} +spec: + domains: + {{- with .Values.server.GKEmanagedCertificate.domains }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/server/server-cluster-roles.yaml b/opencloud/charts/argo-workflows/templates/server/server-cluster-roles.yaml new file mode 100644 index 0000000..f095309 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/server-cluster-roles.yaml @@ -0,0 +1,145 @@ +{{- if and .Values.server.enabled .Values.server.rbac.create}} +apiVersion: rbac.authorization.k8s.io/v1 + {{- if .Values.singleNamespace }} +kind: Role + {{- else }} +kind: ClusterRole + {{- end }} +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + {{- if .Values.singleNamespace }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + {{- end }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - configmaps + - events + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - delete +- apiGroups: + - "" + resources: + - pods/log + verbs: + - get + - list +{{- if .Values.server.sso.enabled }} +- apiGroups: + - "" + resources: + - secrets + resourceNames: + - sso + verbs: + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + {{- if .Values.server.sso.rbac.enabled }} +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - get + - list + - watch + {{- end }} +{{- end }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get +{{- if and .Values.server.sso.enabled .Values.server.sso.rbac.enabled }} + {{- with .Values.server.sso.rbac.secretWhitelist }} + resourceNames: {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +- apiGroups: + - "" + resources: + - events + verbs: + - watch + - create + - patch +{{- if .Values.controller.persistence }} +- apiGroups: + - "" + resources: + - secrets + resourceNames: + {{- with .Values.controller.persistence.postgresql }} + - {{ .userNameSecret.name }} + - {{ .passwordSecret.name }} + {{- end}} + {{- with .Values.controller.persistence.mysql }} + - {{ .userNameSecret.name }} + - {{ .passwordSecret.name }} + {{- end}} + verbs: + - get +{{- end}} +- apiGroups: + - argoproj.io + resources: + - eventsources + - sensors + - workflows + - workfloweventbindings + - workflowtemplates + - cronworkflows + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + +{{- if and .Values.server.clusterWorkflowTemplates.enabled (not .Values.singleNamespace) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "argo-workflows.server.fullname" . }}-cluster-template + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +rules: +- apiGroups: + - argoproj.io + resources: + - clusterworkflowtemplates + verbs: + - get + - list + - watch + {{- if .Values.server.clusterWorkflowTemplates.enableEditing }} + - create + - update + - patch + - delete + {{- end }} +{{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/server/server-crb.yaml b/opencloud/charts/argo-workflows/templates/server/server-crb.yaml new file mode 100644 index 0000000..4ffb910 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/server-crb.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.server.enabled .Values.server.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +{{- if .Values.singleNamespace }} +kind: RoleBinding +{{ else }} +kind: ClusterRoleBinding +{{- end }} +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + {{- if .Values.singleNamespace }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + {{- end }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + {{- if .Values.singleNamespace }} + kind: Role + {{ else }} + kind: ClusterRole + {{- end }} + name: {{ template "argo-workflows.server.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "argo-workflows.serverServiceAccountName" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + +{{- if .Values.server.clusterWorkflowTemplates.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "argo-workflows.server.fullname" . }}-cluster-template + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "argo-workflows.server.fullname" . }}-cluster-template +subjects: +- kind: ServiceAccount + name: {{ template "argo-workflows.serverServiceAccountName" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} +{{- end -}} +{{- end -}} diff --git a/opencloud/charts/argo-workflows/templates/server/server-deployment-hpa.yaml b/opencloud/charts/argo-workflows/templates/server/server-deployment-hpa.yaml new file mode 100644 index 0000000..142bc31 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/server-deployment-hpa.yaml @@ -0,0 +1,45 @@ +{{- if and .Values.server.enabled .Values.server.autoscaling.enabled }} +apiVersion: {{ include "argo-workflows.apiVersion.autoscaling" . }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "argo-workflows.server.fullname" . }} + minReplicas: {{ .Values.server.autoscaling.minReplicas }} + maxReplicas: {{ .Values.server.autoscaling.maxReplicas }} + metrics: + {{- with .Values.server.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + {{- if eq (include "argo-workflows.apiVersion.autoscaling" $) "autoscaling/v2beta1" }} + targetAverageUtilization: {{ . }} + {{- else }} + target: + averageUtilization: {{ . }} + type: Utilization + {{- end }} + {{- end }} + {{- with .Values.server.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + {{- if eq (include "argo-workflows.apiVersion.autoscaling" $) "autoscaling/v2beta1" }} + targetAverageUtilization: {{ . }} + {{- else }} + target: + averageUtilization: {{ . }} + type: Utilization + {{- end }} + {{- end }} + {{- with .Values.server.autoscaling.behavior }} + behavior: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/opencloud/charts/argo-workflows/templates/server/server-deployment-pdb.yaml b/opencloud/charts/argo-workflows/templates/server/server-deployment-pdb.yaml new file mode 100644 index 0000000..47f8394 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/server-deployment-pdb.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.server.enabled .Values.server.pdb.enabled -}} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} +spec: + {{- if .Values.server.pdb.minAvailable }} + minAvailable: {{ .Values.server.pdb.minAvailable }} + {{- else if .Values.server.pdb.maxUnavailable }} + maxUnavailable: {{ .Values.server.pdb.maxUnavailable }} + {{- else }} + minAvailable: 0 + {{- end }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} +{{- end -}} diff --git a/opencloud/charts/argo-workflows/templates/server/server-deployment.yaml b/opencloud/charts/argo-workflows/templates/server/server-deployment.yaml new file mode 100644 index 0000000..b9a2541 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/server-deployment.yaml @@ -0,0 +1,157 @@ +{{- if .Values.server.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }} + {{- with .Values.server.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.server.autoscaling.enabled }} + replicas: {{ .Values.server.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.server.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }} + template: + metadata: + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 8 }} + app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }} + {{- with .Values.server.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "argo-workflows.serverServiceAccountName" . }} + {{- with .Values.server.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.extraInitContainers }} + initContainers: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + containers: + - name: argo-server + image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.server.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.server.image.tag }}" + imagePullPolicy: {{ .Values.images.pullPolicy }} + securityContext: + {{- toYaml .Values.server.securityContext | nindent 12 }} + args: + - server + - --configmap={{ template "argo-workflows.controller.config-map.name" . }} + {{- with .Values.server.extraArgs }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- if .Values.server.authMode }} + - "--auth-mode={{ .Values.server.authMode }}" + {{- end }} + {{- range .Values.server.authModes }} + - "--auth-mode={{ . }}" + {{- end }} + - "--secure={{ .Values.server.secure }}" + {{- if .Values.singleNamespace }} + - "--namespaced" + {{- end }} + - "--loglevel" + - "{{ .Values.server.logging.level }}" + - "--gloglevel" + - "{{ .Values.server.logging.globallevel }}" + - "--log-format" + - "{{ .Values.server.logging.format }}" + ports: + - name: web + containerPort: 2746 + readinessProbe: + httpGet: + path: / + port: 2746 + {{- if .Values.server.secure }} + scheme: HTTPS + {{- else }} + scheme: HTTP + {{- end }} + initialDelaySeconds: 10 + periodSeconds: 20 + env: + - name: IN_CLUSTER + value: "true" + - name: ARGO_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: ARGO_BASE_HREF + value: {{ .Values.server.baseHref | quote }} + {{- with .Values.server.extraEnv }} + {{- toYaml . | nindent 12 }} + {{- end }} + resources: + {{- toYaml .Values.server.resources | nindent 12 }} + volumeMounts: + - name: tmp + mountPath: /tmp + {{- with .Values.server.volumeMounts }} + {{- toYaml . | nindent 10}} + {{- end }} + {{- with .Values.server.lifecycle }} + lifecycle: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.server.extraContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ . }} + {{- end }} + {{- with .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: tmp + {{- toYaml .Values.server.tmpVolume | nindent 8 }} + {{- with .Values.server.volumes }} + {{- toYaml . | nindent 6}} + {{- end }} + {{- with .Values.server.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{- range $constraint := . }} + - {{ toYaml $constraint | nindent 8 | trim }} + {{- if not $constraint.labelSelector }} + labelSelector: + matchLabels: + {{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.server.name) | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.server.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} +{{- end -}} diff --git a/opencloud/charts/argo-workflows/templates/server/server-ingress.yaml b/opencloud/charts/argo-workflows/templates/server/server-ingress.yaml new file mode 100644 index 0000000..db69b01 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/server-ingress.yaml @@ -0,0 +1,90 @@ +{{- if .Values.server.ingress.enabled -}} +{{- $serviceName := include "argo-workflows.server.fullname" . -}} +{{- $servicePort := .Values.server.servicePort -}} +{{- $paths := .Values.server.ingress.paths -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +{{- $pathType := .Values.server.ingress.pathType -}} +apiVersion: {{ include "argo-workflows.ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.server.ingress.annotations }} + annotations: + {{- range $key, $value := .Values.server.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +{{- end }} + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + {{- if .Values.server.ingress.labels }} + {{- toYaml .Values.server.ingress.labels | nindent 4 }} + {{- end }} +spec: + {{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }} + {{- with .Values.server.ingress.ingressClassName }} + ingressClassName: {{ . }} + {{- end }} + {{- end }} + rules: + {{- if .Values.server.ingress.hosts }} + {{- range $host := .Values.server.ingress.hosts }} + - host: {{ $host }} + http: + paths: + {{- if $extraPaths }} + {{- toYaml $extraPaths | nindent 10 }} + {{- end }} + {{- range $p := $paths }} + - path: {{ $p }} + {{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }} + pathType: {{ $pathType }} + {{- end }} + backend: + {{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }} + service: + name: {{ $serviceName }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- end -}} + {{- else }} + - http: + paths: + {{- if $extraPaths }} + {{- toYaml $extraPaths | nindent 10 }} + {{- end }} + {{- range $p := $paths }} + - path: {{ $p }} + {{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }} + pathType: {{ $pathType }} + {{- end }} + backend: + {{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }} + service: + name: {{ $serviceName }} + port: + {{- if kindIs "float64" $servicePort }} + number: {{ $servicePort }} + {{- else }} + name: {{ $servicePort }} + {{- end }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- end -}} + {{- if .Values.server.ingress.tls }} + tls: + {{- toYaml .Values.server.ingress.tls | nindent 4 }} + {{- end -}} +{{- end -}} diff --git a/opencloud/charts/argo-workflows/templates/server/server-sa.yaml b/opencloud/charts/argo-workflows/templates/server/server-sa.yaml new file mode 100644 index 0000000..d2c9c53 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/server-sa.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.server.enabled .Values.server.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "argo-workflows.serverServiceAccountName" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + {{- with .Values.server.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/opencloud/charts/argo-workflows/templates/server/server-service.yaml b/opencloud/charts/argo-workflows/templates/server/server-service.yaml new file mode 100644 index 0000000..39c3779 --- /dev/null +++ b/opencloud/charts/argo-workflows/templates/server/server-service.yaml @@ -0,0 +1,43 @@ +{{- if .Values.server.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "argo-workflows.server.fullname" . }} + namespace: {{ include "argo-workflows.namespace" . | quote }} + labels: + {{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }} + app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }} + {{- with .Values.server.serviceLabels }} + {{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.server.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - port: {{ .Values.server.servicePort }} + {{- with .Values.server.servicePortName }} + name: {{ . }} + {{- end }} + targetPort: 2746 + {{- if and (eq .Values.server.serviceType "NodePort") .Values.server.serviceNodePort }} + nodePort: {{ .Values.server.serviceNodePort }} + {{- end }} + selector: + {{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }} + sessionAffinity: None + type: {{ .Values.server.serviceType }} + {{- if eq .Values.server.serviceType "LoadBalancer" }} + {{- with .Values.controller.loadBalancerClass }} + loadBalancerClass: {{ . }} + {{- end }} + {{- with .Values.server.loadBalancerIP }} + loadBalancerIP: {{ . | quote }} + {{- end }} + {{- if .Values.server.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml .Values.server.loadBalancerSourceRanges | nindent 4 }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/opencloud/charts/argo-workflows/values.yaml b/opencloud/charts/argo-workflows/values.yaml new file mode 100644 index 0000000..cf9b08d --- /dev/null +++ b/opencloud/charts/argo-workflows/values.yaml @@ -0,0 +1,943 @@ +images: + # -- Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`. + tag: "" + # -- imagePullPolicy to apply to all containers + pullPolicy: Always + # -- Secrets with credentials to pull images from a private registry + pullSecrets: [] + # - name: argo-pull-secret + +## Custom resource configuration +crds: + # -- Install and upgrade CRDs + install: true + # -- Keep CRDs on chart uninstall + keep: true + # -- Annotations to be added to all CRDs + annotations: {} + +# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds +## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles +createAggregateRoles: true + +# -- String to partially override "argo-workflows.fullname" template +nameOverride: + +# -- String to fully override "argo-workflows.fullname" template +fullnameOverride: + +# -- Override the namespace +# @default -- `.Release.Namespace` +namespaceOverride: "" + +# -- Labels to set on all resources +commonLabels: {} + +# -- Override the Kubernetes version, which is used to evaluate certain manifests +kubeVersionOverride: "" + +# Override APIVersions +apiVersionOverrides: + # -- String to override apiVersion of autoscaling rendered by this helm chart + autoscaling: "" # autoscaling/v2 + # -- String to override apiVersion of GKE resources rendered by this helm chart + cloudgoogle: "" # cloud.google.com/v1 + # -- String to override apiVersion of monitoring CRDs (ServiceMonitor) rendered by this helm chart + monitoring: "" # monitoring.coreos.com/v1 + +# -- Restrict Argo to operate only in a single namespace (the namespace of the +# Helm release) by apply Roles and RoleBindings instead of the Cluster +# equivalents, and start workflow-controller with the --namespaced flag. Use it +# in clusters with strict access policy. +singleNamespace: false + +workflow: + # -- Deprecated; use controller.workflowNamespaces instead. + namespace: + serviceAccount: + # -- Specifies whether a service account should be created + create: false + # -- Labels applied to created service account + labels: {} + # -- Annotations applied to created service account + annotations: {} + # -- Service account which is used to run workflows + name: "argo-workflow" + # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets` + pullSecrets: [] + rbac: + # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows. + # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) + create: true + # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates + agentPermissions: false + # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc + artifactGC: false + # -- Extra service accounts to be added to the RoleBinding + serviceAccounts: [] + # - name: my-service-account + # namespace: my-namespace + +controller: + image: + # -- Registry to use for the controller + registry: quay.io + # -- Registry to use for the controller + repository: argoproj/workflow-controller + # -- Image tag for the workflow controller. Defaults to `.Values.images.tag`. + tag: "" + # -- parallelism dictates how many workflows can be running at the same time + parallelism: + # -- Globally limits the rate at which pods are created. + # This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of + # parallel nodes. + resourceRateLimit: {} + # limit: 10 + # burst: 1 + + rbac: + # -- Adds Role and RoleBinding for the controller. + create: true + # -- Allows controller to get, list, and watch certain k8s secrets + secretWhitelist: [] + # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. + accessAllSecrets: false + # -- Allows controller to create and update ConfigMaps. Enables memoization feature + writeConfigMaps: false + + configMap: + # -- Create a ConfigMap for the controller + create: true + # -- ConfigMap name + name: "" + # -- ConfigMap annotations + annotations: {} + + # -- Limits the maximum number of incomplete workflows in a namespace + namespaceParallelism: + # -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224 + initialDelay: + # -- deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment + deploymentAnnotations: {} + # -- podAnnotations is an optional map of annotations to be applied to the controller Pods + podAnnotations: {} + # -- Optional labels to add to the controller pods + podLabels: {} + # -- SecurityContext to set on the controller pods + podSecurityContext: {} + # podPortName: http + metricsConfig: + # -- Enables prometheus metrics server + enabled: false + # -- Path is the path where metrics are emitted. Must start with a "/". + path: /metrics + # -- Frequency at which prometheus scrapes metrics + interval: 30s + # -- Port is the port where metrics are emitted + port: 9090 + # -- How often custom metrics are cleared from memory + metricsTTL: "" + # -- Flag that instructs prometheus to ignore metric emission errors. + ignoreErrors: false + # -- Flag that use a self-signed cert for TLS + secure: false + # -- Container metrics port name + portName: metrics + # -- Service metrics port + servicePort: 8080 + # -- Service metrics port name + servicePortName: metrics + # -- Flag to enable headless service + headlessService: false + # -- When true, honorLabels preserves the metric’s labels when they collide with the target’s labels. + ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#honorlabels + honorLabels: false + # -- ServiceMonitor relabel configs to apply to samples before scraping + ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig + relabelings: [] + # -- ServiceMonitor metric relabel configs to apply to samples before ingestion + ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint + metricRelabelings: [] + # -- ServiceMonitor will add labels from the service to the Prometheus metric + ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec + targetLabels: [] + # -- the controller container's securityContext + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available. + ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/ + persistence: {} + # connectionPool: + # maxIdleConns: 100 + # maxOpenConns: 0 + # # save the entire workflow into etcd and DB + # nodeStatusOffLoad: false + # # enable archiving of old workflows + # archive: false + # postgresql: + # host: localhost + # port: 5432 + # database: postgres + # tableName: argo_workflows + # # the database secrets must be in the same namespace of the controller + # userNameSecret: + # name: argo-postgres-config + # key: username + # passwordSecret: + # name: argo-postgres-config + # key: password + # ssl: true + # # sslMode must be one of: disable, require, verify-ca, verify-full + # # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq + # sslMode: require + # mysql: + # host: localhost + # port: 3306 + # database: argo + # tableName: argo_workflows + # userNameSecret: + # name: argo-mysql-config + # key: username + # passwordSecret: + # name: argo-mysql-config + # key: password + + # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. + # Only valid for 2.7+ + ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/ + workflowDefaults: {} + # spec: + # ttlStrategy: + # secondsAfterCompletion: 86400 + # # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/ + # artifactRepositoryRef: + # configMap: my-artifact-repository # default is "artifact-repositories" + # key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map. + + # -- Number of workflow workers + workflowWorkers: # 32 + # -- Number of workflow TTL workers + workflowTTLWorkers: # 4 + # -- Number of pod cleanup workers + podCleanupWorkers: # 4 + # -- Number of cron workflow workers + # Only valid for 3.5+ + cronWorkflowWorkers: # 8 + # -- Restricts the Workflows that the controller will process. + # Only valid for 2.9+ + workflowRestrictions: {} + # templateReferencing: Strict|Secure + + # telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint + # as metrics by default, but can be overridden using this config. + telemetryConfig: + # -- Enables prometheus telemetry server + enabled: false + # -- telemetry path + path: /telemetry + # -- Frequency at which prometheus scrapes telemetry data + interval: 30s + # -- telemetry container port + port: 8081 + # -- How often custom metrics are cleared from memory + metricsTTL: "" + # -- Flag that instructs prometheus to ignore metric emission errors. + ignoreErrors: false + # -- Flag that use a self-signed cert for TLS + secure: false + # -- telemetry service port + servicePort: 8081 + # -- telemetry service port name + servicePortName: telemetry + serviceMonitor: + # -- Enable a prometheus ServiceMonitor + enabled: false + # -- Prometheus ServiceMonitor labels + additionalLabels: {} + # -- Prometheus ServiceMonitor namespace + namespace: "" # "monitoring" + serviceAccount: + # -- Create a service account for the controller + create: true + # -- Service account name + name: "" + # -- Labels applied to created service account + labels: {} + # -- Annotations applied to created service account + annotations: {} + + # -- Workflow controller name string + name: workflow-controller + + # -- Specify all namespaces where this workflow controller instance will manage + # workflows. This controls where the service account and RBAC resources will + # be created. Only valid when singleNamespace is false. + workflowNamespaces: + - default + + instanceID: + # -- Configures the controller to filter workflow submissions + # to only those which have a matching instanceID attribute. + ## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName` + ## or `instanceID.explicitID` must be defined. + enabled: false + # -- Use ReleaseName as instanceID + useReleaseName: false + # useReleaseName: true + + # -- Use a custom instanceID + explicitID: "" + # explicitID: unique-argo-controller-identifier + + logging: + # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`) + level: info + # -- Set the glog logging level + globallevel: "0" + # -- Set the logging format (one of: `text`, `json`) + format: "text" + + # -- Service type of the controller Service + serviceType: ClusterIP + # -- Annotations to be applied to the controller Service + serviceAnnotations: {} + # -- Optional labels to add to the controller Service + serviceLabels: {} + # -- The class of the load balancer implementation + loadBalancerClass: "" + # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer` + loadBalancerSourceRanges: [] + + # -- Resource limits and requests for the controller + resources: {} + + # -- Configure liveness [probe] for the controller + # @default -- See [values.yaml] + livenessProbe: + httpGet: + port: 6060 + path: /healthz + failureThreshold: 3 + initialDelaySeconds: 90 + periodSeconds: 60 + timeoutSeconds: 30 + + # -- Extra environment variables to provide to the controller container + extraEnv: [] + # - name: FOO + # value: "bar" + + # -- Extra arguments to be added to the controller + extraArgs: [] + # -- Additional volume mounts to the controller main container + volumeMounts: [] + # -- Additional volumes to the controller pod + volumes: [] + # -- The number of controller pods to run + replicas: 1 + # -- The number of revisions to keep. + revisionHistoryLimit: 10 + + pdb: + # -- Configure [Pod Disruption Budget] for the controller pods + enabled: false + # minAvailable: 1 + # maxUnavailable: 1 + + # -- [Node selector] + nodeSelector: + kubernetes.io/os: linux + # -- [Tolerations] for use with node taints + tolerations: [] + # -- Assign custom [affinity] rules + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the workflow controller + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Leverage a PriorityClass to ensure your pods survive resource shortages. + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: "" + + # -- Configure Argo Server to show custom [links] + ## Ref: https://argo-workflows.readthedocs.io/en/stable/links/ + links: [] + # -- Configure Argo Server to show custom [columns] + ## Ref: https://github.com/argoproj/argo-workflows/pull/10693 + columns: [] + # -- Set ui navigation bar background color + navColor: "" + clusterWorkflowTemplates: + # -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. + enabled: true + # -- Extra service accounts to be added to the ClusterRoleBinding + serviceAccounts: [] + # - name: my-service-account + # namespace: my-namespace + # -- Extra containers to be added to the controller deployment + extraContainers: [] + + # -- Enables init containers to be added to the controller deployment + extraInitContainers: [] + + # -- Workflow retention by number of workflows + retentionPolicy: {} + # completed: 10 + # failed: 3 + # errored: 3 + + nodeEvents: + # -- Enable to emit events on node completion. + ## This can take up a lot of space in k8s (typically etcd) resulting in errors when trying to create new events: + ## "Unable to create audit event: etcdserver: mvcc: database space exceeded" + enabled: true + + workflowEvents: + # -- Enable to emit events on workflow status changes. + ## This can take up a lot of space in k8s (typically etcd), resulting in errors when trying to create new events: + ## "Unable to create audit event: etcdserver: mvcc: database space exceeded" + enabled: true + + # -- Configure when workflow controller runs in a different k8s cluster with the workflow workloads, + # or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret. + # @default -- `{}` (See [values.yaml]) + kubeConfig: {} + # # name of the kubeconfig secret, may not be empty when kubeConfig specified + # secretName: kubeconfig-secret + # # key of the kubeconfig secret, may not be empty when kubeConfig specified + # secretKey: kubeconfig + # # mounting path of the kubeconfig secret, default to /kube/config + # mountPath: /kubeconfig/mount/path + # # volume name when mounting the secret, default to kubeconfig + # volumeName: kube-config-volume + + # -- Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately. + # @default -- `30` seconds (Kubernetes default) + podGCGracePeriodSeconds: + + # -- The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately. + # @default -- `5s` (Argo Workflows default) + podGCDeleteDelayDuration: "" + +# mainContainer adds default config for main container that could be overriden in workflows template +mainContainer: + # -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`. + imagePullPolicy: "" + # -- Resource limits and requests for the Workflow main container + resources: {} + # -- Adds environment variables for the Workflow main container + env: [] + # -- Adds reference environment variables for the Workflow main container + envFrom: [] + # -- sets security context for the Workflow main container + securityContext: {} + +# executor controls how the init and wait container should be customized +executor: + image: + # -- Registry to use for the Workflow Executors + registry: quay.io + # -- Repository to use for the Workflow Executors + repository: argoproj/argoexec + # -- Image tag for the workflow executor. Defaults to `.Values.images.tag`. + tag: "" + # -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`. + pullPolicy: "" + # -- Resource limits and requests for the Workflow Executors + resources: {} + # -- Passes arguments to the executor processes + args: [] + # -- Adds environment variables for the executor. + env: [] + # -- sets security context for the executor container + securityContext: {} + +server: + # -- Deploy the Argo Server + enabled: true + # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. + ## only updates base url of resources on client side, + ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix + ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190 + baseHref: / + image: + # -- Registry to use for the server + registry: quay.io + # -- Repository to use for the server + repository: argoproj/argocli + # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`. + tag: "" + # -- optional map of annotations to be applied to the ui Deployment + deploymentAnnotations: {} + # -- optional map of annotations to be applied to the ui Pods + podAnnotations: {} + # -- Optional labels to add to the UI pods + podLabels: {} + # -- SecurityContext to set on the server pods + podSecurityContext: {} + rbac: + # -- Adds Role and RoleBinding for the server. + create: true + # -- Servers container-level security context + securityContext: + readOnlyRootFilesystem: false + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + # -- Server name string + name: server + # -- Service type for server pods + serviceType: ClusterIP + # -- Service port for server + servicePort: 2746 + # -- Service node port + serviceNodePort: # 32746 + # -- Service port name + servicePortName: "" # http + + # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files + hostAliases: [] + # - ip: 10.20.30.40 + # hostnames: + # - git.myhostname + + serviceAccount: + # -- Create a service account for the server + create: true + # -- Service account name + name: "" + # -- Labels applied to created service account + labels: {} + # -- Annotations applied to created service account + annotations: {} + + # -- Annotations to be applied to the UI Service + serviceAnnotations: {} + # -- Optional labels to add to the UI Service + serviceLabels: {} + # -- The class of the load balancer implementation + loadBalancerClass: "" + # -- Static IP address to assign to loadBalancer service type `LoadBalancer` + loadBalancerIP: "" + # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer` + loadBalancerSourceRanges: [] + # -- Resource limits and requests for the server + resources: {} + # -- The number of server pods to run + replicas: 1 + # -- The number of revisions to keep. + revisionHistoryLimit: 10 + ## Argo Server Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server + enabled: false + # -- Minimum number of replicas for the Argo Server [HPA] + minReplicas: 1 + # -- Maximum number of replicas for the Argo Server [HPA] + maxReplicas: 5 + # -- Average CPU utilization percentage for the Argo Server [HPA] + targetCPUUtilizationPercentage: 50 + # -- Average memory utilization percentage for the Argo Server [HPA] + targetMemoryUtilizationPercentage: 50 + # -- Configures the scaling behavior of the target in both Up and Down directions. + # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer + behavior: {} + # scaleDown: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 1 + # periodSeconds: 180 + # scaleUp: + # stabilizationWindowSeconds: 300 + # policies: + # - type: Pods + # value: 2 + pdb: + # -- Configure [Pod Disruption Budget] for the server pods + enabled: false + # minAvailable: 1 + # maxUnavailable: 1 + + # -- [Node selector] + nodeSelector: + kubernetes.io/os: linux + + # -- [Tolerations] for use with node taints + tolerations: [] + + # -- Assign custom [affinity] rules + affinity: {} + + # -- Assign custom [TopologySpreadConstraints] rules to the argo server + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ + ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment + topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + + # -- Leverage a PriorityClass to ensure your pods survive resource shortages + ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/ + priorityClassName: "" + + # -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs. + ## See the following documentation for more details on secure mode: + ## https://argo-workflows.readthedocs.io/en/stable/tls/ + secure: false + + # -- Extra environment variables to provide to the argo-server container + extraEnv: [] + # - name: FOO + # value: "bar" + + # -- Deprecated; use server.authModes instead. + authMode: "" + + # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well. + ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/ + authModes: [] + + # -- Extra arguments to provide to the Argo server binary. + ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server/#options + extraArgs: [] + + logging: + # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`) + level: info + # -- Set the glog logging level + globallevel: "0" + # -- Set the logging format (one of: `text`, `json`) + format: "text" + + # -- Volume to be mounted in Pods for temporary files. + tmpVolume: + emptyDir: {} + # -- Additional volume mounts to the server main container. + volumeMounts: [] + # -- Additional volumes to the server pod. + volumes: [] + + ## Ingress configuration. + # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ + ingress: + # -- Enable an ingress resource + enabled: false + # -- Additional ingress annotations + annotations: {} + # -- Additional ingress labels + labels: {} + # -- Defines which ingress controller will implement the resource + ingressClassName: "" + + # -- List of ingress hosts + ## Hostnames must be provided if Ingress is enabled. + ## Secrets must be manually created in the namespace + hosts: [] + # - argoworkflows.example.com + + # -- List of ingress paths + paths: + - / + + # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` + pathType: Prefix + # -- Additional ingress paths + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used) + # - path: /* + # pathType: Prefix + # backend: + # service + # name: ssl-redirect + # port: + # name: use-annotation + + # -- Ingress TLS configuration + tls: [] + # - secretName: argoworkflows-example-tls + # hosts: + # - argoworkflows.example.com + + ## Create a Google Backendconfig for use with the GKE Ingress Controller + ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters + GKEbackendConfig: + # -- Enable BackendConfig custom resource for Google Kubernetes Engine + enabled: false + # -- [BackendConfigSpec] + spec: {} + # spec: + # iap: + # enabled: true + # oauthclientCredentials: + # secretName: argoworkflows-secret + + ## Create a Google Managed Certificate for use with the GKE Ingress Controller + ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs + GKEmanagedCertificate: + # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine. + enabled: false + # -- Domains for the Google Managed Certificate + domains: + - argoworkflows.example.com + + ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller + ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters + GKEfrontendConfig: + # -- Enable FrontConfig custom resource for Google Kubernetes Engine + enabled: false + # -- [FrontendConfigSpec] + spec: {} + # spec: + # redirectToHttps: + # enabled: true + # responseCodeName: RESPONSE_CODE + + clusterWorkflowTemplates: + # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. + enabled: true + # -- Give the server permissions to edit ClusterWorkflowTemplates. + enableEditing: true + + # SSO configuration when SSO is specified as a server auth mode. + sso: + # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authMode` as `sso`. + enabled: false + # -- The root URL of the OIDC identity provider + issuer: https://accounts.google.com + clientId: + # -- Name of secret to retrieve the app OIDC client ID + name: argo-server-sso + # -- Key of secret to retrieve the app OIDC client ID + key: client-id + clientSecret: + # -- Name of a secret to retrieve the app OIDC client secret + name: argo-server-sso + # -- Key of a secret to retrieve the app OIDC client secret + key: client-secret + # -- The OIDC redirect URL. Should be in the form /oauth2/callback. + redirectUrl: "" + rbac: + # -- Adds ServiceAccount Policy to server (Cluster)Role. + enabled: true + # -- Whitelist to allow server to fetch Secrets + ## When present, restricts secrets the server can read to a given list. + ## You can use it to restrict the server to only be able to access the + ## service account token secrets that are associated with service accounts + ## used for authorization. + secretWhitelist: [] + # -- Scopes requested from the SSO ID provider + ## The 'groups' scope requests group membership information, which is usually used for authorization decisions. + scopes: [] + # - groups + # -- Define how long your login is valid for (in hours) + ## If omitted, defaults to 10h. + sessionExpiry: "" + # -- Alternate root URLs that can be included for some OIDC providers + issuerAlias: "" + # -- Override claim name for OIDC groups + customGroupClaimName: "" + # -- Specify the user info endpoint that contains the groups claim + ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta) + userInfoPath: "" + # -- Skip TLS verification for the HTTP client + insecureSkipVerify: false + # -- Filter the groups returned by the OIDC provider + ## A logical "OR" is used between each regex in the list + filterGroupsRegex: [] + # - ".*argo-wf.*" + # - ".*argo-workflow.*" + + # -- Extra containers to be added to the server deployment + extraContainers: [] + + # -- Enables init containers to be added to the server deployment + extraInitContainers: [] + + # -- Specify postStart and preStop lifecycle hooks for server container + lifecycle: {} + + # -- terminationGracePeriodSeconds for container lifecycle hook + terminationGracePeriodSeconds: 30 + +# -- Array of extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: secrets-store.csi.x-k8s.io/v1 + # kind: SecretProviderClass + # metadata: + # name: argo-server-sso + # spec: + # provider: aws + # parameters: + # objects: | + # - objectName: "argo/server/sso" + # objectType: "secretsmanager" + # jmesPath: + # - path: "client_id" + # objectAlias: "client_id" + # - path: "client_secret" + # objectAlias: "client_secret" + # secretObjects: + # - data: + # - key: client_id + # objectName: client_id + # - key: client_secret + # objectName: client_secret + # secretName: argo-server-sso-secrets-store + # type: Opaque + +# -- Use static credentials for S3 (eg. when not using AWS IRSA) +useStaticCredentials: true +artifactRepository: + # -- Archive the main container logs as an artifact + archiveLogs: false + # -- Store artifact in a S3-compliant object store + # @default -- See [values.yaml] + s3: {} + # # Note the `key` attribute is not the actual secret, it's the PATH to + # # the contents in the associated secret, as defined by the `name` attribute. + # accessKeySecret: + # name: "{{ .Release.Name }}-minio" + # key: accesskey + # secretKeySecret: + # name: "{{ .Release.Name }}-minio" + # key: secretkey + # sessionTokenSecret: + # name: "{{ .Release.Name }}-minio" + # key: sessionToken + # # insecure will disable TLS. Primarily used for minio installs not configured with TLS + # insecure: false + # caSecret: + # name: ca-root + # key: cert.pem + # bucket: + # endpoint: + # region: + # roleARN: + # useSDKCreds: true + # encryptionOptions: + # enableEncryption: true + # -- Store artifact in a GCS object store + # @default -- `{}` (See [values.yaml]) + gcs: {} + # bucket: -argo + # keyFormat: "{{ \"{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}\" }}" + # # serviceAccountKeySecret is a secret selector. + # # It references the k8s secret named 'my-gcs-credentials'. + # # This secret is expected to have have the key 'serviceAccountKey', + # # containing the base64 encoded credentials + # # to the bucket. + # # + # # If it's running on GKE and Workload Identity is used, + # # serviceAccountKeySecret is not needed. + # serviceAccountKeySecret: + # name: my-gcs-credentials + # key: serviceAccountKey + # -- Store artifact in Azure Blob Storage + # @default -- `{}` (See [values.yaml]) + azure: {} + # endpoint: https://mystorageaccountname.blob.core.windows.net + # container: my-container-name + # blobNameFormat: path/in/container + # # accountKeySecret is a secret selector. + # # It references the k8s secret named 'my-azure-storage-credentials'. + # # This secret is expected to have have the key 'account-access-key', + # # containing the base64 encoded credentials to the storage account. + # # If a managed identity has been assigned to the machines running the + # # workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity) + # # then accountKeySecret is not needed, and useSDKCreds should be + # # set to true instead: + # useSDKCreds: true + # accountKeySecret: + # name: my-azure-storage-credentials + # key: account-access-key + +# -- The section of custom artifact repository. +# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure) +customArtifactRepository: {} +# artifactory: +# repoUrl: https://artifactory.example.com/raw +# usernameSecret: +# name: artifactory-creds +# key: username +# passwordSecret: +# name: artifactory-creds +# key: password + +# -- The section of [artifact repository ref](https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/). +# Each map key is the name of configmap +# @default -- `{}` (See [values.yaml]) +artifactRepositoryRef: {} + # # -- 1st ConfigMap + # # If you want to use this config map by default, name it "artifact-repositories". + # # Otherwise, you can provide a reference to a + # # different config map in `artifactRepositoryRef.configMap`. + # artifact-repositories: + # # -- v3.0 and after - if you want to use a specific key, put that key into this annotation. + # annotations: + # workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository + # # 1st data of configmap. See above artifactRepository or customArtifactRepository. + # default-v1-s3-artifact-repository: + # archiveLogs: false + # s3: + # bucket: my-bucket + # endpoint: minio:9000 + # insecure: true + # accessKeySecret: + # name: my-minio-cred + # key: accesskey + # secretKeySecret: + # name: my-minio-cred + # key: secretkey + # # 2nd data + # oss-artifact-repository: + # archiveLogs: false + # oss: + # endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com + # bucket: $mybucket + # # accessKeySecret and secretKeySecret are secret selectors. + # # It references the k8s secret named 'bucket-workflow-artifect-credentials'. + # # This secret is expected to have have the keys 'accessKey' + # # and 'secretKey', containing the base64 encoded credentials + # # to the bucket. + # accessKeySecret: + # name: $mybucket-credentials + # key: accessKey + # secretKeySecret: + # name: $mybucket-credentials + # key: secretKey + # # 2nd ConfigMap + # another-artifact-repositories: + # annotations: + # workflows.argoproj.io/default-artifact-repository: gcs + # gcs: + # bucket: my-bucket + # keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}} + # serviceAccountKeySecret: + # name: my-gcs-credentials + # key: serviceAccountKey + +emissary: + # -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used. + ## See more: https://argo-workflows.readthedocs.io/en/stable/workflow-executors/#emissary-emissary + images: [] + # argoproj/argosay:v2: + # cmd: [/argosay] + # docker/whalesay:latest: + # cmd: [/bin/bash] diff --git a/opencloud/dev-values.yaml b/opencloud/dev-values.yaml index 8714743..b766ed5 100644 --- a/opencloud/dev-values.yaml +++ b/opencloud/dev-values.yaml @@ -340,6 +340,21 @@ loki: grafana: enabled: false +argo-workflows: + enabled: true + workflow: + serviceAccount: + create: false + name: argo-workflow + rbac: + create: false # Manual provisioning + controller: + workflowNamespaces: [] #All of them + controller: + workflowDefaults: + spec: + serviceAccountName: argo-workflow + ocAuth: enabled: true image: oc/oc-auth:0.0.1 diff --git a/opencloud/templates/argo.yaml b/opencloud/templates/argo.yaml new file mode 100644 index 0000000..1eb7eff --- /dev/null +++ b/opencloud/templates/argo.yaml @@ -0,0 +1,87 @@ +{{- if index .Values "argo-workflows" "enabled" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: argo-workflow + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: custom-argo-clusterrole +rules: + # Default Argo permissions + - apiGroups: [""] + resources: ["configmaps", "pods", "pods/log", "secrets", "persistentvolumeclaims", "serviceaccounts"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: [""] + resources: ["services"] + verbs: ["get", "list", "watch"] + - apiGroups: ["argoproj.io"] + resources: ["workflows", "workflowtemplates", "cronworkflows", "workflowtasksets", "workfloweventbindings", "clusterworkflowtemplates"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "delete", "get", "list", "update"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["create", "delete", "get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "get"] + # Full power activated + - apiGroups: [""] + resources: ["bindings", "endpoints", "events", "limitranges", "namespaces", "nodes", "persistentvolumes", "replicationcontrollers", "resourcequotas"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["apps"] + resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["batch"] + resources: ["cronjobs"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["networkpolicies", "ingresses"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["policy"] + resources: ["poddisruptionbudgets"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses", "volumeattachments"] + verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] + - apiGroups: ["argoproj.io"] + resources: ["workflowtaskresults"] + verbs: ["create", "patch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: custom-argo-clusterrolebinding +subjects: + - kind: ServiceAccount + name: argo-workflow + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom-argo-clusterrole +--- +apiVersion: argoproj.io/v1alpha1 +kind: Workflow +metadata: + name: hello-world + namespace: {{ .Release.Namespace }} +spec: + entrypoint: whalesay + templates: + - name: whalesay + container: + image: docker/whalesay + command: [ cowsay ] + args: [ "hello world" ] +{{- end }} \ No newline at end of file diff --git a/opencloud/templates/hydra.yaml b/opencloud/templates/hydra.yaml index e51ace0..3baaa94 100644 --- a/opencloud/templates/hydra.yaml +++ b/opencloud/templates/hydra.yaml @@ -1,4 +1,4 @@ -{{- if index .Values "mongo-express" "enabled" }} +{{- if index .Values "hydra" "enabled" }} apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: @@ -8,11 +8,11 @@ spec: - web routes: - kind: Rule - match: Host(`{{ .Values.host }}`) && PathPrefix(`/auth`) + match: Host(`{{ .Values.host }}`) && PathPrefix(`/hydra`) priority: 10 services: - kind: Service - name: {{ .Release.Name }}-mongo-express + name: {{ .Release.Name }}-hydra-public.{{ .Release.Namespace }} passHostHeader: true - port: 8081 + port: 4444 {{- end }} \ No newline at end of file diff --git a/upgrade_development_dry_run.sh b/upgrade_development_dry_run.sh new file mode 100755 index 0000000..a919069 --- /dev/null +++ b/upgrade_development_dry_run.sh @@ -0,0 +1,5 @@ +#!/bin/bash +RELEASE_NAME=dev +RELEASE_NAMESPACE=dev + +helm upgrade ${RELEASE_NAME} opencloud -n ${RELEASE_NAMESPACE} --create-namespace -f opencloud/dev-values.yaml --dry-run --debug