diff --git a/.github/workflows/update_documentation.yaml b/.github/workflows/update_documentation.yaml index 4a74a047..7a2a2a9f 100644 --- a/.github/workflows/update_documentation.yaml +++ b/.github/workflows/update_documentation.yaml @@ -6,6 +6,7 @@ on: - "*" paths: - 'charts/**/values.yaml' + - 'charts/**/Chart.yaml' - 'charts/README.md.gotmpl' - '.github/workflows/update_documentation.yaml' diff --git a/charts/argocd/Chart.lock b/charts/argocd/Chart.lock index cc29223f..90cf4a8d 100644 --- a/charts/argocd/Chart.lock +++ b/charts/argocd/Chart.lock @@ -1,6 +1,6 @@ dependencies: - name: argo-cd - repository: https://charts.bitnami.com/bitnami - version: 6.4.0 -digest: sha256:b05c56b5912292b2f00adf4ebe25785618251225380e23ac14ae0cee73c725ee -generated: "2024-06-03T12:33:16.441848+02:00" + repository: oci://registry-1.docker.io/bitnamicharts + version: 6.6.7 +digest: sha256:a65026cc706031b4fe9cb309b4c98e1e51d58ea3b4567ebd435b207adfdfa70c +generated: "2024-07-24T20:03:23.706528+02:00" diff --git a/charts/argocd/Chart.yaml b/charts/argocd/Chart.yaml index 09fb4585..3d4cd64b 100644 --- a/charts/argocd/Chart.yaml +++ b/charts/argocd/Chart.yaml @@ -10,7 +10,7 @@ description: | name = "argocd" repository = "https://charts.iits.tech" chart = "argocd" - version = "16.2.0" + version = "16.2.1" namespace = "argocd" create_namespace = true wait = true @@ -19,6 +19,10 @@ description: | render_subchart_notes = true dependency_update = true wait_for_jobs = true + set_sensitive { + name = "projects.app-charts.git.password" + value = var.git_token + } values = [ yamlencode({ projects = { @@ -26,12 +30,10 @@ description: | projectValues = { # Set this to enable stage values-$STAGE.yaml stage = var.stage - # Example values which are handed down to the project. Like this you can give over informations from terraform to argocd + # Example values which are handed down to the project. Like this you can give over information from terraform to argo-cd rootDomain = var.domain_name } - git = { - password = var.git_token repoUrl = "https://github.com/iits-consulting/otc-infrastructure-charts-template" } } @@ -46,9 +48,9 @@ description: | named infrastructure-charts and will install everything from there. name: argocd -appVersion: 2.11.2 -version: 16.2.0 +appVersion: 2.11.7 +version: 16.2.1 dependencies: - name: argo-cd - repository: https://charts.bitnami.com/bitnami - version: 6.4.0 + repository: oci://registry-1.docker.io/bitnamicharts + version: 6.6.7 diff --git a/charts/argocd/README.md b/charts/argocd/README.md index a121076b..925ad1b9 100644 --- a/charts/argocd/README.md +++ b/charts/argocd/README.md @@ -1,6 +1,6 @@ # argocd -![Version: 16.2.0](https://img.shields.io/badge/Version-16.2.0-informational?style=flat-square) ![AppVersion: 2.11.2](https://img.shields.io/badge/AppVersion-2.11.2-informational?style=flat-square) +![Version: 16.2.1](https://img.shields.io/badge/Version-16.2.1-informational?style=flat-square) ![AppVersion: 2.11.7](https://img.shields.io/badge/AppVersion-2.11.7-informational?style=flat-square) This chart is used to bootstrap a Kubernetes cluster with `argocd`. You can use this chart to deploy `argocd` through tools like `terraform`. @@ -12,7 +12,7 @@ resource "helm_release" "argocd" { name = "argocd" repository = "https://charts.iits.tech" chart = "argocd" - version = "16.2.0" + version = "16.2.1" namespace = "argocd" create_namespace = true wait = true @@ -21,6 +21,10 @@ resource "helm_release" "argocd" { render_subchart_notes = true dependency_update = true wait_for_jobs = true + set_sensitive { + name = "projects.app-charts.git.password" + value = var.git_token + } values = [ yamlencode({ projects = { @@ -28,12 +32,10 @@ resource "helm_release" "argocd" { projectValues = { # Set this to enable stage values-$STAGE.yaml stage = var.stage - # Example values which are handed down to the project. Like this you can give over informations from terraform to argocd + # Example values which are handed down to the project. Like this you can give over information from terraform to argo-cd rootDomain = var.domain_name } - git = { - password = var.git_token repoUrl = "https://github.com/iits-consulting/otc-infrastructure-charts-template" } } @@ -51,7 +53,7 @@ named infrastructure-charts and will install everything from there. | Repository | Name | Version | |------------|------|---------| -| https://charts.bitnami.com/bitnami | argo-cd | 6.4.0 | +| oci://registry-1.docker.io/bitnamicharts | argo-cd | 6.6.7 | ## Values @@ -60,6 +62,7 @@ named infrastructure-charts and will install everything from there. | argo-cd.config.rbac."policy.csv" | string | `"g, ARGOCD-ADMIN, role:admin\ng, SYSTEM-ADMINISTRATOR, role:admin\n"` | | | argo-cd.controller.extraEnvVars[0].name | string | `"TZ"` | | | argo-cd.controller.extraEnvVars[0].value | string | `"Europe/Berlin"` | | +| argo-cd.controller.kind | string | `"StatefulSet"` | | | argo-cd.controller.logFormat | string | `"json"` | | | argo-cd.controller.replicaCount | int | `2` | | | argo-cd.controller.resourcesPreset | string | `"medium"` | | @@ -70,6 +73,7 @@ named infrastructure-charts and will install everything from there. | argo-cd.repoServer.extraEnvVars[0].name | string | `"TZ"` | | | argo-cd.repoServer.extraEnvVars[0].value | string | `"Europe/Berlin"` | | | argo-cd.repoServer.logFormat | string | `"json"` | | +| argo-cd.repoServer.replicaCount | int | `2` | | | argo-cd.repoServer.resourcesPreset | string | `"small"` | | | argo-cd.server.config."oidc.config" | string | `"name: OIDC\nissuer: $argocd-oidc:oidcURL\nclientID: $argocd-oidc:clientID\nclientSecret: $argocd-oidc:clientSecret\nrequestedScopes:\n - openid\n - profile\n - email\n - groups\nrequestedIDTokenClaims:\n groups:\n essential: true\n"` | | | argo-cd.server.config."resource.customizations" | string | `"# Ignores .data changes of all secrets with a vaultInjectionChecksum annotation\nargoproj.io/Application:\n ignoreDifferences: |\n jqPathExpressions:\n - '. | select(.metadata.annotations.parametersChecksum) | .spec.source.helm'\n - '. | select(.metadata.annotations.valueFileChecksum) | .spec.source.helm'\n# Ignores caBundle and template changes of the following resources\nadmissionregistration.k8s.io/MutatingWebhookConfiguration:\n ignoreDifferences: |\n jqPathExpressions:\n - .metadata.annotations.template\n - '.webhooks'\napiextensions.k8s.io/CustomResourceDefinition:\n ignoreDifferences: |\n jqPathExpressions:\n - .spec.conversion.webhookClientConfig.caBundle\nadmissionregistration.k8s.io/ValidatingWebhookConfiguration:\n ignoreDifferences: |\n jqPathExpressions:\n - .metadata.annotations.template\n - '.webhooks[]?.clientConfig.caBundle'\n - '.webhooks'\ncert-manager.io/Certificate:\n ignoreDifferences: |\n jqPathExpressions:\n - .spec.duration\nnetworking.k8s.io/Ingress:\n health.lua: |\n hs = {}\n hs.status = \"Healthy\"\n return hs\n"` | | @@ -77,9 +81,7 @@ named infrastructure-charts and will install everything from there. | argo-cd.server.extraEnvVars[0].name | string | `"TZ"` | | | argo-cd.server.extraEnvVars[0].value | string | `"Europe/Berlin"` | | | argo-cd.server.extraEnvVars[1].name | string | `"ARGOCD_SERVER_ROOTPATH"` | | -| argo-cd.server.extraEnvVars[1].value | string | `"{{ .Values.server.ingress.path }}"` | | -| argo-cd.server.extraEnvVars[2].name | string | `"ARGOCD_SERVER_BASEHREF"` | | -| argo-cd.server.extraEnvVars[2].value | string | `"{{ .Values.server.ingress.path }}"` | | +| argo-cd.server.extraEnvVars[1].value | string | `"{{ $path := .Values.server.ingress.path }}{{ if ($path | ne \"/\") }}{{ $path }}{{ end }}"` | | | argo-cd.server.ingress.annotations."traefik.ingress.kubernetes.io/router.entrypoints" | string | `"websecure"` | | | argo-cd.server.ingress.annotations."traefik.ingress.kubernetes.io/router.tls" | string | `"true"` | | | argo-cd.server.ingress.enabled | bool | `true` | | @@ -87,6 +89,11 @@ named infrastructure-charts and will install everything from there. | argo-cd.server.ingress.path | string | `"/argocd"` | | | argo-cd.server.insecure | bool | `true` | | | argo-cd.server.logFormat | string | `"json"` | | +| argo-cd.server.replicaCount | int | `2` | | +| global.syncWindow[0].duration | string | `"24h"` | | +| global.syncWindow[0].kind | string | `"allow"` | | +| global.syncWindow[0].manualSync | bool | `true` | | +| global.syncWindow[0].schedule | string | `"* * * * *"` | | | policyException.enabled | bool | `true` | | | projects | string | `nil` | List of projects which you want to bootstrap | diff --git a/charts/argocd/templates/kyverno/policy-exception.yaml b/charts/argocd/templates/kyverno/policy-exception.yaml index ef9b38a9..a1e2d784 100644 --- a/charts/argocd/templates/kyverno/policy-exception.yaml +++ b/charts/argocd/templates/kyverno/policy-exception.yaml @@ -31,7 +31,6 @@ spec: namespaces: - {{ $.Release.Namespace }} names: - - argocd-repo-server* {{- end }} {{- end }} \ No newline at end of file diff --git a/charts/argocd/templates/projects/application.yaml b/charts/argocd/templates/projects/application.yaml index afd6ef72..4830ed98 100644 --- a/charts/argocd/templates/projects/application.yaml +++ b/charts/argocd/templates/projects/application.yaml @@ -3,10 +3,6 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: {{ $projectName }} - # application needs to be installed after the crds - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" spec: project: {{ $projectName }} revisionHistoryLimit: 3 diff --git a/charts/argocd/templates/projects/helm-registries.yaml b/charts/argocd/templates/projects/helm-registries.yaml index 912c692e..b08908be 100644 --- a/charts/argocd/templates/projects/helm-registries.yaml +++ b/charts/argocd/templates/projects/helm-registries.yaml @@ -8,9 +8,6 @@ metadata: labels: argocd.argoproj.io/secret-type: repository app.kubernetes.io/part-of: argocd - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "-5" data: name: {{ printf $registryName| b64enc }} password: {{ printf $registry.password | b64enc }} diff --git a/charts/argocd/templates/projects/project.yaml b/charts/argocd/templates/projects/project.yaml index e1e46021..2f56e884 100644 --- a/charts/argocd/templates/projects/project.yaml +++ b/charts/argocd/templates/projects/project.yaml @@ -3,10 +3,6 @@ apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: {{ $projectName }} - # project needs to be installed after the crds - annotations: - "helm.sh/hook": post-install,post-upgrade - "helm.sh/hook-weight": "-5" spec: sourceRepos: - {{ $project.git.repoUrl }} @@ -20,6 +16,10 @@ spec: destinations: - namespace: '*' server: 'https://kubernetes.default.svc' + syncWindows: + {{- range $syncWindow := default $.Values.global.syncWindow $project.syncWindow }} + - {{ (tpl (toYaml $syncWindow) $) | nindent 6 -}} + {{ end }} clusterResourceWhitelist: - group: '*' kind: '*' diff --git a/charts/argocd/templates/projects/repo-config.yaml b/charts/argocd/templates/projects/repo-config.yaml index 0b121d85..79fab1ce 100644 --- a/charts/argocd/templates/projects/repo-config.yaml +++ b/charts/argocd/templates/projects/repo-config.yaml @@ -6,9 +6,6 @@ metadata: labels: argocd.argoproj.io/secret-type: repository app.kubernetes.io/part-of: argocd - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "-5" data: url: {{ $project.git.repoUrl | b64enc }} name: {{ printf $projectName | b64enc }} diff --git a/charts/argocd/values.yaml b/charts/argocd/values.yaml index 4c7e2754..b334330c 100644 --- a/charts/argocd/values.yaml +++ b/charts/argocd/values.yaml @@ -1,7 +1,15 @@ +global: + syncWindow: + - kind: allow + schedule: '* * * * *' + manualSync: true + duration: 24h + argo-cd: fullnameOverride: "argocd" controller: + kind: StatefulSet replicaCount: 2 extraEnvVars: - name: "TZ" @@ -13,6 +21,7 @@ argo-cd: notifications: enabled: false repoServer: + replicaCount: 2 extraEnvVars: - name: "TZ" value: "Europe/Berlin" @@ -22,6 +31,7 @@ argo-cd: seccompProfile: type: Unconfined server: + replicaCount: 2 ingress: enabled: true hostname: "SET_BY_TERRAFORM" @@ -32,10 +42,15 @@ argo-cd: extraEnvVars: - name: "TZ" value: "Europe/Berlin" + + # There is no need to specify ARGOCD_SERVER_BASEHREF, as that would only change the UI path, which is done by setting ARGOCD_SERVER_ROOTPATH + # ARGOCD_SERVER_BASEHREF changes UI path only + # ARGOCD_SERVER_ROOTPATH changes UI + API path - name: "ARGOCD_SERVER_ROOTPATH" - value: "{{ .Values.server.ingress.path }}" - - name: "ARGOCD_SERVER_BASEHREF" - value: "{{ .Values.server.ingress.path }}" + # If we are serving on the root '/' this variable needs to be either non-existent or empty for the argo-server to respond properly. + # Relevant if you want to serve argo on a dedicated sub-domain i.e. argo.example.com + value: "{{ $path := .Values.server.ingress.path }}{{ if ($path | ne \"/\") }}{{ $path }}{{ end }}" + logFormat: json insecure: true @@ -100,9 +115,9 @@ argo-cd: # -- List of projects which you want to bootstrap projects: -## bootstraps infrastructure related charts like traefik, elastic-stack... +# # bootstraps infrastructure related charts like traefik, elastic-stack... # infrastructure-charts: -## values which are handed over to the infrastructure-charts project like this you can for example give over information from terraform to argocd +# # values which are handed over to the infrastructure-charts project like this you can for example give over information from terraform to argocd # projectValues: # # Set this to enable stage values.yaml # stage: @@ -132,6 +147,14 @@ projects: # # # defaults to * # allowedUrls: +# +# syncWindow: +# - kind: deny +# schedule: '0 0 * * *' +# duration: 23h +# - kind: allow +# schedule: '0 23 * * *' +# duration: 1h # Kyverno Policy Exception policyException: