344 lines
12 KiB
YAML
344 lines
12 KiB
YAML
## Custom resource configuration
|
|
crds:
|
|
# -- Install and upgrade CRDs
|
|
install: true
|
|
# -- Keep CRDs on chart uninstall
|
|
keep: true
|
|
# -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
|
|
# Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
|
|
full: true
|
|
|
|
# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
|
|
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
|
|
createAggregateRoles: true
|
|
|
|
# -- Restrict Argo to operate only in a single namespace (the namespace of the
|
|
# Helm release) by apply Roles and RoleBindings instead of the Cluster
|
|
# equivalents, and start workflow-controller with the --namespaced flag. Use it
|
|
# in clusters with strict access policy.
|
|
singleNamespace: false
|
|
|
|
workflow:
|
|
serviceAccount:
|
|
# -- Specifies whether a service account should be created
|
|
create: false
|
|
# -- Labels applied to created service account
|
|
labels: {}
|
|
# -- Annotations applied to created service account
|
|
annotations: {}
|
|
# -- Service account which is used to run workflows
|
|
name: "argo-workflow"
|
|
# -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
|
|
pullSecrets: []
|
|
rbac:
|
|
# -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
|
|
# A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
|
|
create: true
|
|
# -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
|
|
agentPermissions: false
|
|
# -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
|
|
artifactGC: false
|
|
# -- Extra service accounts to be added to the RoleBinding
|
|
serviceAccounts: []
|
|
# - name: my-service-account
|
|
# namespace: my-namespace
|
|
# -- Additional rules for the service account that runs the workflows.
|
|
rules: []
|
|
|
|
controller:
|
|
rbac:
|
|
# -- Adds Role and RoleBinding for the controller.
|
|
create: true
|
|
# -- Allows controller to get, list, and watch certain k8s secrets
|
|
secretWhitelist: []
|
|
# -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
|
|
accessAllSecrets: false
|
|
# -- Allows controller to create and update ConfigMaps. Enables memoization feature
|
|
writeConfigMaps: false
|
|
|
|
configMap:
|
|
# -- Create a ConfigMap for the controller
|
|
create: true
|
|
# -- ConfigMap name
|
|
name: ""
|
|
# -- ConfigMap annotations
|
|
annotations: {}
|
|
|
|
# -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
|
|
## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
|
|
persistence: {}
|
|
# connectionPool:
|
|
# maxIdleConns: 100
|
|
# maxOpenConns: 0
|
|
# # save the entire workflow into etcd and DB
|
|
# nodeStatusOffLoad: false
|
|
# # enable archiving of old workflows
|
|
# archive: false
|
|
# postgresql:
|
|
# host: localhost
|
|
# port: 5432
|
|
# database: postgres
|
|
# tableName: argo_workflows
|
|
# # the database secrets must be in the same namespace of the controller
|
|
# userNameSecret:
|
|
# name: argo-postgres-config
|
|
# key: username
|
|
# passwordSecret:
|
|
# name: argo-postgres-config
|
|
# key: password
|
|
# ssl: true
|
|
# # sslMode must be one of: disable, require, verify-ca, verify-full
|
|
# # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
|
|
# sslMode: require
|
|
# mysql:
|
|
# host: localhost
|
|
# port: 3306
|
|
# database: argo
|
|
# tableName: argo_workflows
|
|
# userNameSecret:
|
|
# name: argo-mysql-config
|
|
# key: username
|
|
# passwordSecret:
|
|
# name: argo-mysql-config
|
|
# key: password
|
|
|
|
# -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
|
|
# Only valid for 2.7+
|
|
## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
|
|
workflowDefaults: {}
|
|
# spec:
|
|
# ttlStrategy:
|
|
# secondsAfterCompletion: 86400
|
|
# # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
|
|
# artifactRepositoryRef:
|
|
# configMap: my-artifact-repository # default is "artifact-repositories"
|
|
# key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
|
|
|
|
serviceAccount:
|
|
# -- Create a service account for the controller
|
|
create: true
|
|
# -- Service account name
|
|
name: ""
|
|
# -- Labels applied to created service account
|
|
labels: {}
|
|
# -- Annotations applied to created service account
|
|
annotations: {}
|
|
|
|
# -- Workflow controller name string
|
|
name: workflow-controller
|
|
|
|
# -- Specify all namespaces where this workflow controller instance will manage
|
|
# workflows. This controls where the service account and RBAC resources will
|
|
# be created. Only valid when singleNamespace is false.
|
|
workflowNamespaces:
|
|
- default
|
|
|
|
logging:
|
|
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
|
|
level: info
|
|
# -- Set the glog logging level
|
|
globallevel: "0"
|
|
# -- Set the logging format (one of: `text`, `json`)
|
|
format: "text"
|
|
|
|
server:
|
|
# -- Deploy the Argo Server
|
|
enabled: true
|
|
# -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
|
|
## only updates base url of resources on client side,
|
|
## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
|
|
## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
|
|
baseHref: /
|
|
image:
|
|
# -- Registry to use for the server
|
|
registry: quay.io
|
|
# -- Repository to use for the server
|
|
repository: argoproj/argocli
|
|
# -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
|
|
tag: ""
|
|
rbac:
|
|
# -- Adds Role and RoleBinding for the server.
|
|
create: true
|
|
# -- Servers container-level security context
|
|
serviceAccount:
|
|
# -- Create a service account for the server
|
|
create: true
|
|
# -- Service account name
|
|
name: ""
|
|
# -- Labels applied to created service account
|
|
labels: {}
|
|
# -- Annotations applied to created service account
|
|
annotations: {}
|
|
|
|
# -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
|
|
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
|
|
authModes:
|
|
- sso
|
|
|
|
## Ingress configuration.
|
|
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
|
|
ingress:
|
|
# -- Enable an ingress resource
|
|
enabled: false
|
|
|
|
# Gateway API HTTPRoute configuration
|
|
# NOTE: Gateway API support is in EXPERIMENTAL status
|
|
# Support depends on your Gateway controller implementation
|
|
# Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
|
|
# Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
|
|
httproute:
|
|
# -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
|
|
enabled: true
|
|
# -- Additional HTTPRoute labels
|
|
labels: {}
|
|
# -- Additional HTTPRoute annotations
|
|
annotations: {}
|
|
# -- Gateway API parentRefs for the HTTPRoute
|
|
## Must reference an existing Gateway
|
|
# @default -- `[]` (See [values.yaml])
|
|
parentRefs:
|
|
- group: gateway.networking.k8s.io
|
|
kind: Gateway
|
|
name: internal
|
|
namespace: kube-system
|
|
sectionName: https
|
|
# -- List of hostnames for the HTTPRoute
|
|
# @default -- `[]` (See [values.yaml])
|
|
hostnames:
|
|
- "workflows.peterg.nl"
|
|
# @default -- `[]` (See [values.yaml])
|
|
rules:
|
|
- matches:
|
|
- path:
|
|
type: PathPrefix
|
|
value: /
|
|
# filters: []
|
|
# - type: RequestHeaderModifier
|
|
# requestHeaderModifier:
|
|
# add:
|
|
# - name: X-Custom-Header
|
|
# value: custom-value
|
|
|
|
# Gateway API BackendTLSPolicy configuration
|
|
# NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
|
|
# Required for HTTPS backends when using Gateway API
|
|
# Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
|
|
backendTLSPolicy:
|
|
# -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
|
|
enabled: false
|
|
# -- Additional BackendTLSPolicy labels
|
|
labels: {}
|
|
# -- Additional BackendTLSPolicy annotations
|
|
annotations: {}
|
|
# -- Target references for the BackendTLSPolicy
|
|
# @default -- `[]` (See [values.yaml])
|
|
targetRefs: []
|
|
# - group: ""
|
|
# kind: Service
|
|
# name: argo-workflows-server
|
|
# sectionName: https
|
|
# -- TLS validation configuration
|
|
# @default -- `{}` (See [values.yaml])
|
|
validation: {}
|
|
# hostname: argo-workflows-server.argo.svc.cluster.local
|
|
# caCertificateRefs:
|
|
# - name: example-ca-cert
|
|
# group: ""
|
|
# kind: ConfigMap
|
|
# wellKnownCACertificates: System
|
|
|
|
clusterWorkflowTemplates:
|
|
# -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
|
|
enabled: true
|
|
# -- Give the server permissions to edit ClusterWorkflowTemplates.
|
|
enableEditing: true
|
|
|
|
# SSO configuration when SSO is specified as a server auth mode.
|
|
sso:
|
|
enabled: true
|
|
issuer: https://auth.peterg.nl/application/o/argo-workflows/
|
|
clientId:
|
|
name: argo-workflows-sso
|
|
key: client-id
|
|
clientSecret:
|
|
name: argo-workflows-sso
|
|
key: client-secret
|
|
redirectUrl: https://workflows.peterg.nl/oauth2/callback
|
|
scopes:
|
|
- groups
|
|
rbac:
|
|
enabled: true
|
|
|
|
# -- Array of extra K8s manifests to deploy
|
|
extraObjects:
|
|
- apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: admin-user
|
|
namespace: argo-workflows
|
|
annotations:
|
|
workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
|
|
workflows.argoproj.io/rbac-rule-precedence: "1"
|
|
- apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: read-only
|
|
namespace: argo-workflows
|
|
annotations:
|
|
workflows.argoproj.io/rbac-rule: "true"
|
|
workflows.argoproj.io/rbac-rule-precedence: "0"
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: argo-workflows-admin-user
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: admin-user
|
|
namespace: argo-workflows
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: argo-workflows-admin
|
|
apiGroup: rbac.authorization.k8s.io
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: argo-workflows-read-only
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: read-only
|
|
namespace: argo-workflows
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: argo-workflows-view
|
|
apiGroup: rbac.authorization.k8s.io
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: argo-workflows-server-sso
|
|
namespace: argo-workflows
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- serviceaccounts
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- serviceaccounts/token
|
|
verbs:
|
|
- create
|
|
- apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: argo-workflows-server-sso
|
|
namespace: argo-workflows
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: argo-workflows-server
|
|
namespace: argo-workflows
|
|
roleRef:
|
|
kind: Role
|
|
name: argo-workflows-server-sso
|
|
apiGroup: rbac.authorization.k8s.io
|