Merge pull request #122 from iits-consulting/argo-update

Update ArgoCD to 2.11.7
iits-consulting · Jul 25, 2024 · 3e46724 · 3e46724
2 parents 9756059 + e450845
commit 3e46724
Show file tree

Hide file tree

Showing 10 changed files with 63 additions and 41 deletions.
diff --git a/.github/workflows/update_documentation.yaml b/.github/workflows/update_documentation.yaml
@@ -6,6 +6,7 @@ on:
       - "*"
     paths:
       - 'charts/**/values.yaml'
+      - 'charts/**/Chart.yaml'
       - 'charts/README.md.gotmpl'
       - '.github/workflows/update_documentation.yaml'
 

diff --git a/charts/argocd/Chart.lock b/charts/argocd/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: argo-cd
-  repository: https://charts.bitnami.com/bitnami
-  version: 6.4.0
-digest: sha256:b05c56b5912292b2f00adf4ebe25785618251225380e23ac14ae0cee73c725ee
-generated: "2024-06-03T12:33:16.441848+02:00"
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 6.6.7
+digest: sha256:a65026cc706031b4fe9cb309b4c98e1e51d58ea3b4567ebd435b207adfdfa70c
+generated: "2024-07-24T20:03:23.706528+02:00"
diff --git a/charts/argocd/Chart.yaml b/charts/argocd/Chart.yaml
@@ -10,7 +10,7 @@ description: |
     name                  = "argocd"
     repository            = "https://charts.iits.tech"
     chart                 = "argocd"
-    version               = "16.2.0"
+    version               = "16.2.1"
     namespace             = "argocd"
     create_namespace      = true
     wait                  = true
@@ -19,19 +19,21 @@ description: |
     render_subchart_notes = true
     dependency_update     = true
     wait_for_jobs         = true
+    set_sensitive {
+      name  = "projects.app-charts.git.password"
+      value = var.git_token
+    }
     values                = [
       yamlencode({
         projects = {
           infrastructure-charts = {
             projectValues = {
               # Set this to enable stage values-$STAGE.yaml
               stage        = var.stage
-              # Example values which are handed down to the project. Like this you can give over informations from terraform to argocd
+              # Example values which are handed down to the project. Like this you can give over information from terraform to argo-cd
               rootDomain  = var.domain_name
             }
-
             git = {
-              password = var.git_token
               repoUrl  = "https://github.com/iits-consulting/otc-infrastructure-charts-template"
             }
           }
@@ -46,9 +48,9 @@ description: |
   named infrastructure-charts and will install everything from there.
 
 name: argocd
-appVersion: 2.11.2
-version: 16.2.0
+appVersion: 2.11.7
+version: 16.2.1
 dependencies:
   - name: argo-cd
-    repository: https://charts.bitnami.com/bitnami
-    version: 6.4.0
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 6.6.7
diff --git a/charts/argocd/README.md b/charts/argocd/README.md
@@ -1,6 +1,6 @@
 # argocd
 
-![Version: 16.2.0](https://img.shields.io/badge/Version-16.2.0-informational?style=flat-square) ![AppVersion: 2.11.2](https://img.shields.io/badge/AppVersion-2.11.2-informational?style=flat-square)
+![Version: 16.2.1](https://img.shields.io/badge/Version-16.2.1-informational?style=flat-square) ![AppVersion: 2.11.7](https://img.shields.io/badge/AppVersion-2.11.7-informational?style=flat-square)
 
 This chart is used to bootstrap a Kubernetes cluster with `argocd`.
 You can use this chart to deploy `argocd` through tools like `terraform`.
@@ -12,7 +12,7 @@ resource "helm_release" "argocd" {
   name                  = "argocd"
   repository            = "https://charts.iits.tech"
   chart                 = "argocd"
-  version               = "16.2.0"
+  version               = "16.2.1"
   namespace             = "argocd"
   create_namespace      = true
   wait                  = true
@@ -21,19 +21,21 @@ resource "helm_release" "argocd" {
   render_subchart_notes = true
   dependency_update     = true
   wait_for_jobs         = true
+  set_sensitive {
+    name  = "projects.app-charts.git.password"
+    value = var.git_token
+  }
   values                = [
     yamlencode({
       projects = {
         infrastructure-charts = {
           projectValues = {
             # Set this to enable stage values-$STAGE.yaml
             stage        = var.stage
-            # Example values which are handed down to the project. Like this you can give over informations from terraform to argocd
+            # Example values which are handed down to the project. Like this you can give over information from terraform to argo-cd
             rootDomain  = var.domain_name
           }
-
           git = {
-            password = var.git_token
             repoUrl  = "https://github.com/iits-consulting/otc-infrastructure-charts-template"
           }
         }
@@ -51,7 +53,7 @@ named infrastructure-charts and will install everything from there.
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://charts.bitnami.com/bitnami | argo-cd | 6.4.0 |
+| oci://registry-1.docker.io/bitnamicharts | argo-cd | 6.6.7 |
 
 ## Values
 
@@ -60,6 +62,7 @@ named infrastructure-charts and will install everything from there.
 | argo-cd.config.rbac."policy.csv" | string | `"g, ARGOCD-ADMIN, role:admin\ng, SYSTEM-ADMINISTRATOR, role:admin\n"` |  |
 | argo-cd.controller.extraEnvVars[0].name | string | `"TZ"` |  |
 | argo-cd.controller.extraEnvVars[0].value | string | `"Europe/Berlin"` |  |
+| argo-cd.controller.kind | string | `"StatefulSet"` |  |
 | argo-cd.controller.logFormat | string | `"json"` |  |
 | argo-cd.controller.replicaCount | int | `2` |  |
 | argo-cd.controller.resourcesPreset | string | `"medium"` |  |
@@ -70,23 +73,27 @@ named infrastructure-charts and will install everything from there.
 | argo-cd.repoServer.extraEnvVars[0].name | string | `"TZ"` |  |
 | argo-cd.repoServer.extraEnvVars[0].value | string | `"Europe/Berlin"` |  |
 | argo-cd.repoServer.logFormat | string | `"json"` |  |
+| argo-cd.repoServer.replicaCount | int | `2` |  |
 | argo-cd.repoServer.resourcesPreset | string | `"small"` |  |
 | argo-cd.server.config."oidc.config" | string | `"name: OIDC\nissuer: $argocd-oidc:oidcURL\nclientID: $argocd-oidc:clientID\nclientSecret: $argocd-oidc:clientSecret\nrequestedScopes:\n  - openid\n  - profile\n  - email\n  - groups\nrequestedIDTokenClaims:\n  groups:\n    essential: true\n"` |  |
 | argo-cd.server.config."resource.customizations" | string | `"# Ignores .data changes of all secrets with a vaultInjectionChecksum annotation\nargoproj.io/Application:\n ignoreDifferences: |\n    jqPathExpressions:\n      - '. | select(.metadata.annotations.parametersChecksum) | .spec.source.helm'\n      - '. | select(.metadata.annotations.valueFileChecksum) | .spec.source.helm'\n# Ignores caBundle and template changes of the following resources\nadmissionregistration.k8s.io/MutatingWebhookConfiguration:\n  ignoreDifferences: |\n    jqPathExpressions:\n      - .metadata.annotations.template\n      - '.webhooks'\napiextensions.k8s.io/CustomResourceDefinition:\n  ignoreDifferences: |\n    jqPathExpressions:\n      - .spec.conversion.webhookClientConfig.caBundle\nadmissionregistration.k8s.io/ValidatingWebhookConfiguration:\n  ignoreDifferences: |\n    jqPathExpressions:\n      - .metadata.annotations.template\n      - '.webhooks[]?.clientConfig.caBundle'\n      - '.webhooks'\ncert-manager.io/Certificate:\n  ignoreDifferences: |\n    jqPathExpressions:\n      - .spec.duration\nnetworking.k8s.io/Ingress:\n  health.lua: |\n    hs = {}\n    hs.status = \"Healthy\"\n    return hs\n"` |  |
 | argo-cd.server.config.url | string | `"https://{{ .Values.server.ingress.hostname }}{{ .Values.server.ingress.path }}"` |  |
 | argo-cd.server.extraEnvVars[0].name | string | `"TZ"` |  |
 | argo-cd.server.extraEnvVars[0].value | string | `"Europe/Berlin"` |  |
 | argo-cd.server.extraEnvVars[1].name | string | `"ARGOCD_SERVER_ROOTPATH"` |  |
-| argo-cd.server.extraEnvVars[1].value | string | `"{{ .Values.server.ingress.path }}"` |  |
-| argo-cd.server.extraEnvVars[2].name | string | `"ARGOCD_SERVER_BASEHREF"` |  |
-| argo-cd.server.extraEnvVars[2].value | string | `"{{ .Values.server.ingress.path }}"` |  |
+| argo-cd.server.extraEnvVars[1].value | string | `"{{ $path := .Values.server.ingress.path }}{{ if ($path | ne \"/\") }}{{ $path }}{{ end }}"` |  |
 | argo-cd.server.ingress.annotations."traefik.ingress.kubernetes.io/router.entrypoints" | string | `"websecure"` |  |
 | argo-cd.server.ingress.annotations."traefik.ingress.kubernetes.io/router.tls" | string | `"true"` |  |
 | argo-cd.server.ingress.enabled | bool | `true` |  |
 | argo-cd.server.ingress.hostname | string | `"SET_BY_TERRAFORM"` |  |
 | argo-cd.server.ingress.path | string | `"/argocd"` |  |
 | argo-cd.server.insecure | bool | `true` |  |
 | argo-cd.server.logFormat | string | `"json"` |  |
+| argo-cd.server.replicaCount | int | `2` |  |
+| global.syncWindow[0].duration | string | `"24h"` |  |
+| global.syncWindow[0].kind | string | `"allow"` |  |
+| global.syncWindow[0].manualSync | bool | `true` |  |
+| global.syncWindow[0].schedule | string | `"* * * * *"` |  |
 | policyException.enabled | bool | `true` |  |
 | projects | string | `nil` | List of projects which you want to bootstrap |
 

diff --git a/charts/argocd/templates/kyverno/policy-exception.yaml b/charts/argocd/templates/kyverno/policy-exception.yaml
@@ -31,7 +31,6 @@ spec:
           namespaces:
             - {{ $.Release.Namespace }}
           names:
-
             - argocd-repo-server*
 {{- end }}
 {{- end }}
diff --git a/charts/argocd/templates/projects/application.yaml b/charts/argocd/templates/projects/application.yaml
@@ -3,10 +3,6 @@ apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: {{ $projectName }}
-  # application needs to be installed after the crds
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-5"
 spec:
    project: {{ $projectName }}
    revisionHistoryLimit: 3

diff --git a/charts/argocd/templates/projects/helm-registries.yaml b/charts/argocd/templates/projects/helm-registries.yaml
@@ -8,9 +8,6 @@ metadata:
   labels:
     argocd.argoproj.io/secret-type: repository
     app.kubernetes.io/part-of: argocd
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-5"
 data:
   name: {{ printf $registryName| b64enc }}
   password: {{ printf $registry.password | b64enc }}

diff --git a/charts/argocd/templates/projects/project.yaml b/charts/argocd/templates/projects/project.yaml
@@ -3,10 +3,6 @@ apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
   name: {{ $projectName }}
-  # project needs to be installed after the crds
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-5"
 spec:
   sourceRepos:
     - {{ $project.git.repoUrl }}
@@ -20,6 +16,10 @@ spec:
   destinations:
     - namespace: '*'
       server: 'https://kubernetes.default.svc'
+  syncWindows:
+  {{- range $syncWindow := default $.Values.global.syncWindow $project.syncWindow }}
+    - {{ (tpl (toYaml $syncWindow) $) | nindent 6 -}}
+  {{ end }}
   clusterResourceWhitelist:
     - group: '*'
       kind: '*'

diff --git a/charts/argocd/templates/projects/repo-config.yaml b/charts/argocd/templates/projects/repo-config.yaml
@@ -6,9 +6,6 @@ metadata:
   labels:
     argocd.argoproj.io/secret-type: repository
     app.kubernetes.io/part-of: argocd
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-5"
 data:
   url: {{ $project.git.repoUrl | b64enc }}
   name: {{ printf $projectName | b64enc }}

diff --git a/charts/argocd/values.yaml b/charts/argocd/values.yaml
@@ -1,7 +1,15 @@
+global:
+  syncWindow:
+  - kind: allow
+    schedule: '* * * * *'
+    manualSync: true
+    duration: 24h
+
 argo-cd:
   fullnameOverride: "argocd"
 
   controller:
+    kind: StatefulSet
     replicaCount: 2
     extraEnvVars:
       - name: "TZ"
@@ -13,6 +21,7 @@ argo-cd:
   notifications:
     enabled: false
   repoServer:
+    replicaCount: 2
     extraEnvVars:
       - name: "TZ"
         value: "Europe/Berlin"
@@ -22,6 +31,7 @@ argo-cd:
       seccompProfile:
         type: Unconfined
   server:
+    replicaCount: 2
     ingress:
       enabled: true
       hostname: "SET_BY_TERRAFORM"
@@ -32,10 +42,15 @@ argo-cd:
     extraEnvVars:
       - name: "TZ"
         value: "Europe/Berlin"
+
+      # There is no need to specify ARGOCD_SERVER_BASEHREF, as that would only change the UI path, which is done by setting ARGOCD_SERVER_ROOTPATH
+      # ARGOCD_SERVER_BASEHREF changes UI path only
+      # ARGOCD_SERVER_ROOTPATH changes UI + API path
       - name: "ARGOCD_SERVER_ROOTPATH"
-        value: "{{ .Values.server.ingress.path }}"
-      - name: "ARGOCD_SERVER_BASEHREF"
-        value: "{{ .Values.server.ingress.path }}"
+        # If we are serving on the root '/' this variable needs to be either non-existent or empty for the argo-server to respond properly.
+        # Relevant if you want to serve argo on a dedicated sub-domain i.e. argo.example.com
+        value: "{{ $path := .Values.server.ingress.path }}{{ if ($path | ne \"/\") }}{{ $path }}{{ end }}"
+
     logFormat: json
     insecure: true
 
@@ -100,9 +115,9 @@ argo-cd:
 
 # -- List of projects which you want to bootstrap
 projects:
-## bootstraps infrastructure related charts like traefik, elastic-stack...
+#  # bootstraps infrastructure related charts like traefik, elastic-stack...
 #  infrastructure-charts:
-## values which are handed over to the infrastructure-charts project like this you can for example give over information from terraform to argocd
+#    # values which are handed over to the infrastructure-charts project like this you can for example give over information from terraform to argocd
 #    projectValues:
 #      # Set this to enable stage values.yaml
 #      stage:
@@ -132,6 +147,14 @@ projects:
 #
 #    # defaults to *
 #    allowedUrls:
+#
+#    syncWindow:
+#      - kind: deny
+#        schedule: '0 0 * * *'
+#        duration: 23h
+#      - kind: allow
+#        schedule: '0 23 * * *'
+#        duration: 1h
 
 # Kyverno Policy Exception
 policyException: