2026-04-01 20:52:14 +02:00
## Custom resource configuration
crds :
# -- Install and upgrade CRDs
install : true
# -- Keep CRDs on chart uninstall
keep : true
# -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
# Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
full : true
# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
createAggregateRoles : true
# -- Restrict Argo to operate only in a single namespace (the namespace of the
# Helm release) by apply Roles and RoleBindings instead of the Cluster
# equivalents, and start workflow-controller with the --namespaced flag. Use it
# in clusters with strict access policy.
singleNamespace : false
workflow :
serviceAccount :
# -- Specifies whether a service account should be created
create : false
# -- Labels applied to created service account
labels : {}
# -- Annotations applied to created service account
annotations : {}
# -- Service account which is used to run workflows
name : "argo-workflow"
# -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
pullSecrets : [ ]
rbac :
# -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
# A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
create : true
# -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
agentPermissions : false
# -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
artifactGC : false
# -- Extra service accounts to be added to the RoleBinding
serviceAccounts : [ ]
# - name: my-service-account
# namespace: my-namespace
# -- Additional rules for the service account that runs the workflows.
rules : [ ]
controller :
rbac :
# -- Adds Role and RoleBinding for the controller.
create : true
# -- Allows controller to get, list, and watch certain k8s secrets
secretWhitelist : [ ]
# -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
accessAllSecrets : false
# -- Allows controller to create and update ConfigMaps. Enables memoization feature
writeConfigMaps : false
configMap :
# -- Create a ConfigMap for the controller
create : true
# -- ConfigMap name
name : ""
# -- ConfigMap annotations
annotations : {}
# -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
persistence : {}
# connectionPool:
# maxIdleConns: 100
# maxOpenConns: 0
# # save the entire workflow into etcd and DB
# nodeStatusOffLoad: false
# # enable archiving of old workflows
# archive: false
# postgresql:
# host: localhost
# port: 5432
# database: postgres
# tableName: argo_workflows
# # the database secrets must be in the same namespace of the controller
# userNameSecret:
# name: argo-postgres-config
# key: username
# passwordSecret:
# name: argo-postgres-config
# key: password
# ssl: true
# # sslMode must be one of: disable, require, verify-ca, verify-full
# # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
# sslMode: require
# mysql:
# host: localhost
# port: 3306
# database: argo
# tableName: argo_workflows
# userNameSecret:
# name: argo-mysql-config
# key: username
# passwordSecret:
# name: argo-mysql-config
# key: password
# -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
# Only valid for 2.7+
## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
workflowDefaults : {}
# spec:
# ttlStrategy:
# secondsAfterCompletion: 86400
# # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
# artifactRepositoryRef:
# configMap: my-artifact-repository # default is "artifact-repositories"
# key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
serviceAccount :
# -- Create a service account for the controller
create : true
# -- Service account name
name : ""
# -- Labels applied to created service account
labels : {}
# -- Annotations applied to created service account
annotations : {}
# -- Workflow controller name string
name : workflow-controller
# -- Specify all namespaces where this workflow controller instance will manage
# workflows. This controls where the service account and RBAC resources will
# be created. Only valid when singleNamespace is false.
workflowNamespaces :
- default
logging :
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
level : info
# -- Set the glog logging level
globallevel : "0"
# -- Set the logging format (one of: `text`, `json`)
format : "text"
server :
# -- Deploy the Argo Server
enabled: true
# -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
## only updates base url of resources on client side,
## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
baseHref : /
image :
# -- Registry to use for the server
registry : quay.io
# -- Repository to use for the server
repository : argoproj/argocli
# -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
tag : ""
rbac :
# -- Adds Role and RoleBinding for the server.
create : true
# -- Servers container-level security context
serviceAccount :
# -- Create a service account for the server
create : true
# -- Service account name
name : ""
# -- Labels applied to created service account
labels : {}
# -- Annotations applied to created service account
annotations : {}
# -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
2026-04-01 21:35:16 +02:00
authModes :
- sso
2026-04-01 20:52:14 +02:00
## Ingress configuration.
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress :
# -- Enable an ingress resource
enabled : false
# Gateway API HTTPRoute configuration
# NOTE: Gateway API support is in EXPERIMENTAL status
# Support depends on your Gateway controller implementation
# Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
# Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
httproute :
# -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
enabled : true
# -- Additional HTTPRoute labels
labels : {}
# -- Additional HTTPRoute annotations
annotations : {}
# -- Gateway API parentRefs for the HTTPRoute
## Must reference an existing Gateway
# @default -- `[]` (See [values.yaml])
parentRefs :
2026-04-01 21:15:23 +02:00
- group : gateway.networking.k8s.io
kind : Gateway
name : internal
2026-04-01 20:52:14 +02:00
namespace : kube-system
sectionName : https
# -- List of hostnames for the HTTPRoute
# @default -- `[]` (See [values.yaml])
2026-04-01 21:12:22 +02:00
hostnames :
- "workflows.peterg.nl"
# @default -- `[]` (See [values.yaml])
rules :
- matches :
- path :
type : PathPrefix
value : /
# filters: []
# - type: RequestHeaderModifier
# requestHeaderModifier:
# add:
# - name: X-Custom-Header
# value: custom-value
2026-04-01 20:52:14 +02:00
# Gateway API BackendTLSPolicy configuration
# NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
# Required for HTTPS backends when using Gateway API
# Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
backendTLSPolicy :
# -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
enabled : false
# -- Additional BackendTLSPolicy labels
labels : {}
# -- Additional BackendTLSPolicy annotations
annotations : {}
# -- Target references for the BackendTLSPolicy
# @default -- `[]` (See [values.yaml])
targetRefs : [ ]
# - group: ""
# kind: Service
# name: argo-workflows-server
# sectionName: https
# -- TLS validation configuration
# @default -- `{}` (See [values.yaml])
validation : {}
# hostname: argo-workflows-server.argo.svc.cluster.local
# caCertificateRefs:
# - name: example-ca-cert
# group: ""
# kind: ConfigMap
# wellKnownCACertificates: System
clusterWorkflowTemplates :
# -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
enabled : true
# -- Give the server permissions to edit ClusterWorkflowTemplates.
enableEditing : true
2026-04-01 21:51:47 +02:00
# SSO configuration when SSO is specified as a server auth mode.
sso :
enabled : true
2026-04-02 08:32:02 +02:00
issuer : https://auth.peterg.nl/application/o/argo-workflows/
2026-04-01 21:51:47 +02:00
clientId :
name : argo-workflows-sso
key : client-id
clientSecret :
name : argo-workflows-sso
key : client-secret
2026-04-01 21:53:42 +02:00
redirectUrl : https://workflows.peterg.nl/oauth2/callback
2026-04-01 22:12:23 +02:00
scopes :
- groups
rbac :
enabled : true
2026-04-01 20:52:14 +02:00
# -- Array of extra K8s manifests to deploy
2026-04-01 22:12:23 +02:00
extraObjects :
- apiVersion : v1
kind : ServiceAccount
metadata :
name : admin-user
2026-04-06 17:58:28 +02:00
namespace : argo-workflows
2026-04-01 22:12:23 +02:00
annotations :
2026-04-06 17:58:28 +02:00
workflows.argoproj.io/rbac-rule : "'ArgoCD Admins' in groups"
2026-04-01 22:12:23 +02:00
workflows.argoproj.io/rbac-rule-precedence : "1"
- apiVersion : v1
kind : ServiceAccount
metadata :
2026-04-01 22:15:11 +02:00
name : read-only
2026-04-06 17:58:28 +02:00
namespace : argo-workflows
2026-04-01 22:15:11 +02:00
annotations :
workflows.argoproj.io/rbac-rule : "true"
workflows.argoproj.io/rbac-rule-precedence : "0"
2026-04-01 22:22:23 +02:00
- apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
2026-04-01 22:25:06 +02:00
name : argo-workflows-admin-user
2026-04-01 22:22:23 +02:00
subjects :
- kind : ServiceAccount
name : admin-user
2026-04-06 17:58:28 +02:00
namespace : argo-workflows
2026-04-01 22:22:23 +02:00
roleRef :
kind : ClusterRole
2026-04-01 22:25:06 +02:00
name : argo-workflows-admin
2026-04-01 22:22:23 +02:00
apiGroup : rbac.authorization.k8s.io
- apiVersion : rbac.authorization.k8s.io/v1
kind : ClusterRoleBinding
metadata :
2026-04-01 22:25:06 +02:00
name : argo-workflows-read-only
2026-04-01 22:22:23 +02:00
subjects :
- kind : ServiceAccount
name : read-only
2026-04-06 17:58:28 +02:00
namespace : argo-workflows
2026-04-01 22:22:23 +02:00
roleRef :
kind : ClusterRole
2026-04-01 22:25:06 +02:00
name : argo-workflows-view
2026-04-01 22:22:23 +02:00
apiGroup : rbac.authorization.k8s.io
2026-05-15 14:53:30 +02:00
- apiVersion : rbac.authorization.k8s.io/v1
kind : Role
metadata :
name : argo-workflows-server-sso
namespace : argo-workflows
rules :
- apiGroups :
- ""
resources :
- serviceaccounts
verbs :
- get
- apiGroups :
- ""
resources :
- serviceaccounts/token
verbs :
- create
- apiVersion : rbac.authorization.k8s.io/v1
kind : RoleBinding
metadata :
name : argo-workflows-server-sso
namespace : argo-workflows
subjects :
- kind : ServiceAccount
name : argo-workflows-server
namespace : argo-workflows
roleRef :
kind : Role
name : argo-workflows-server-sso
apiGroup : rbac.authorization.k8s.io
