## Custom resource configuration
crds:
  # -- Install and upgrade CRDs
  install: true
  # -- Keep CRDs on chart uninstall
  keep: true
  # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
  # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
  full: true

# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
createAggregateRoles: true

# -- Restrict Argo to operate only in a single namespace (the namespace of the
# Helm release) by apply Roles and RoleBindings instead of the Cluster
# equivalents, and start workflow-controller with the --namespaced flag. Use it
# in clusters with strict access policy.
singleNamespace: false

workflow:
  serviceAccount:
    # -- Specifies whether a service account should be created
    create: false
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}
    # -- Service account which is used to run workflows
    name: "argo-workflow"
    # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
    pullSecrets: []
  rbac:
    # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
    # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
    create: true
    # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
    agentPermissions: false
    # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
    artifactGC: false
    # -- Extra service accounts to be added to the RoleBinding
    serviceAccounts: []
      # - name: my-service-account
      #   namespace: my-namespace
    # -- Additional rules for the service account that runs the workflows.
    rules: []

controller:
  rbac:
    # -- Adds Role and RoleBinding for the controller.
    create: true
    # -- Allows controller to get, list, and watch certain k8s secrets
    secretWhitelist: []
    # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
    accessAllSecrets: false
    # -- Allows controller to create and update ConfigMaps. Enables memoization feature
    writeConfigMaps: false

  configMap:
    # -- Create a ConfigMap for the controller
    create: true
    # -- ConfigMap name
    name: ""
    # -- ConfigMap annotations
    annotations: {}

  # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
  ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
  persistence: {}
  # connectionPool:
  #   maxIdleConns: 100
  #   maxOpenConns: 0
  # # save the entire workflow into etcd and DB
  # nodeStatusOffLoad: false
  # # enable archiving of old workflows
  # archive: false
  # postgresql:
  #   host: localhost
  #   port: 5432
  #   database: postgres
  #   tableName: argo_workflows
  #   # the database secrets must be in the same namespace of the controller
  #   userNameSecret:
  #     name: argo-postgres-config
  #     key: username
  #   passwordSecret:
  #     name: argo-postgres-config
  #     key: password
  #   ssl: true
  #   # sslMode must be one of: disable, require, verify-ca, verify-full
  #   # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
  #   sslMode: require
  # mysql:
  #   host: localhost
  #   port: 3306
  #   database: argo
  #   tableName: argo_workflows
  #   userNameSecret:
  #     name: argo-mysql-config
  #     key: username
  #   passwordSecret:
  #     name: argo-mysql-config
  #     key: password

  # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
  # Only valid for 2.7+
  ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
  workflowDefaults: {}
  #   spec:
  #     ttlStrategy:
  #       secondsAfterCompletion: 86400
  #     # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
  #     artifactRepositoryRef:
  #       configMap: my-artifact-repository # default is "artifact-repositories"
  #       key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.

  serviceAccount:
    # -- Create a service account for the controller
    create: true
    # -- Service account name
    name: ""
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}

  # -- Workflow controller name string
  name: workflow-controller

  # -- Specify all namespaces where this workflow controller instance will manage
  # workflows. This controls where the service account and RBAC resources will
  # be created. Only valid when singleNamespace is false.
  workflowNamespaces:
    - default

  logging:
    # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
    level: info
    # -- Set the glog logging level
    globallevel: "0"
    # -- Set the logging format (one of: `text`, `json`)
    format: "text"

server:
  # -- Deploy the Argo Server
  enabled: true
  # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
  ## only updates base url of resources on client side,
  ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
  ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
  baseHref: /
  image:
    # -- Registry to use for the server
    registry: quay.io
    # -- Repository to use for the server
    repository: argoproj/argocli
  rbac:
    # -- Adds Role and RoleBinding for the server.
    create: true
  # -- Servers container-level security context
  serviceAccount:
    # -- Create a service account for the server
    create: true
    # -- Service account name
    name: ""
    # -- Labels applied to created service account
    labels: {}
    # -- Annotations applied to created service account
    annotations: {}

  # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
  ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
  authModes:
    - sso

  ## Ingress configuration.
  # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
  ingress:
    # -- Enable an ingress resource
    enabled: false

  # Gateway API HTTPRoute configuration
  # NOTE: Gateway API support is in EXPERIMENTAL status
  # Support depends on your Gateway controller implementation
  # Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
  # Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
  httproute:
    # -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
    enabled: true
    # -- Additional HTTPRoute labels
    labels: {}
    # -- Additional HTTPRoute annotations
    annotations: {}
    # -- Gateway API parentRefs for the HTTPRoute
    ## Must reference an existing Gateway
    # @default -- `[]` (See [values.yaml])
    parentRefs:
      - group: gateway.networking.k8s.io
        kind: Gateway
        name: internal
        namespace: kube-system
        sectionName: https
    # -- List of hostnames for the HTTPRoute
    # @default -- `[]` (See [values.yaml])
    hostnames:
      - "workflows.peterg.nl"
      # @default -- `[]` (See [values.yaml])
    rules:
      - matches:
          - path:
              type: PathPrefix
              value: /
        # filters: []
        #   - type: RequestHeaderModifier
        #     requestHeaderModifier:
        #       add:
        #         - name: X-Custom-Header
        #           value: custom-value

  # Gateway API BackendTLSPolicy configuration
  # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
  # Required for HTTPS backends when using Gateway API
  # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
  backendTLSPolicy:
    # -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
    enabled: false
    # -- Additional BackendTLSPolicy labels
    labels: {}
    # -- Additional BackendTLSPolicy annotations
    annotations: {}
    # -- Target references for the BackendTLSPolicy
    # @default -- `[]` (See [values.yaml])
    targetRefs: []
      # - group: ""
      #   kind: Service
      #   name: argo-workflows-server
      #   sectionName: https
    # -- TLS validation configuration
    # @default -- `{}` (See [values.yaml])
    validation: {}
      # hostname: argo-workflows-server.argo.svc.cluster.local
      # caCertificateRefs:
      #   - name: example-ca-cert
      #     group: ""
      #     kind: ConfigMap
      # wellKnownCACertificates: System

  clusterWorkflowTemplates:
    # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
    enabled: true
    # -- Give the server permissions to edit ClusterWorkflowTemplates.
    enableEditing: true

  # SSO configuration when SSO is specified as a server auth mode.
  sso:
    enabled: true
    issuer: https://auth.peterg.nl/application/o/argo-workflows/
    clientId:
      name: argo-workflows-sso
      key: client-id
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    redirectUrl: https://workflows.peterg.nl/oauth2/callback
    scopes:
      - groups
    rbac:
      enabled: true

# -- Array of extra K8s manifests to deploy
extraObjects:
  - apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: admin-user
      namespace: argo-workflows
      annotations:
        workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
        workflows.argoproj.io/rbac-rule-precedence: "1"
  - apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: read-only
      namespace: argo-workflows
      annotations:
        workflows.argoproj.io/rbac-rule: "true"
        workflows.argoproj.io/rbac-rule-precedence: "0"
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: argo-workflows-admin-user
    subjects:
      - kind: ServiceAccount
        name: admin-user
        namespace: argo-workflows
    roleRef:
      kind: ClusterRole
      name: argo-workflows-admin
      apiGroup: rbac.authorization.k8s.io
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: argo-workflows-read-only
    subjects:
      - kind: ServiceAccount
        name: read-only
        namespace: argo-workflows
    roleRef:
      kind: ClusterRole
      name: argo-workflows-view
      apiGroup: rbac.authorization.k8s.io
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: argo-workflows-server-sso
      namespace: argo-workflows
    rules:
      - apiGroups:
          - ""
        resources:
          - serviceaccounts
        verbs:
          - get
      - apiGroups:
          - ""
        resources:
          - serviceaccounts/token
        verbs:
          - create
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: argo-workflows-server-sso
      namespace: argo-workflows
    subjects:
      - kind: ServiceAccount
        name: argo-workflows-server
        namespace: argo-workflows
    roleRef:
      kind: Role
      name: argo-workflows-server-sso
      apiGroup: rbac.authorization.k8s.io