wheatley/kubernetes
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions
kubernetes/k8s-peterg/argo-workflows/values.yaml

313 lines
11 KiB
YAML
Raw Blame History

## Custom resource configuration
crds:
# -- Install and upgrade CRDs
install: true
# -- Keep CRDs on chart uninstall
keep: true
# -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
# Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
full: true
# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
createAggregateRoles: true
# -- Restrict Argo to operate only in a single namespace (the namespace of the
# Helm release) by apply Roles and RoleBindings instead of the Cluster
# equivalents, and start workflow-controller with the --namespaced flag. Use it
# in clusters with strict access policy.
singleNamespace: false
workflow:
serviceAccount:
# -- Specifies whether a service account should be created
create: false
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- Service account which is used to run workflows
name: "argo-workflow"
# -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
pullSecrets: []
rbac:
# -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
# A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
create: true
# -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
agentPermissions: false
# -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
artifactGC: false
# -- Extra service accounts to be added to the RoleBinding
serviceAccounts: []
# - name: my-service-account
# namespace: my-namespace
# -- Additional rules for the service account that runs the workflows.
rules: []
controller:
rbac:
# -- Adds Role and RoleBinding for the controller.
create: true
# -- Allows controller to get, list, and watch certain k8s secrets
secretWhitelist: []
# -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
accessAllSecrets: false
# -- Allows controller to create and update ConfigMaps. Enables memoization feature
writeConfigMaps: false
configMap:
# -- Create a ConfigMap for the controller
create: true
# -- ConfigMap name
name: ""
# -- ConfigMap annotations
annotations: {}
# -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
persistence: {}
# connectionPool:
# maxIdleConns: 100
# maxOpenConns: 0
# # save the entire workflow into etcd and DB
# nodeStatusOffLoad: false
# # enable archiving of old workflows
# archive: false
# postgresql:
# host: localhost
# port: 5432
# database: postgres
# tableName: argo_workflows
# # the database secrets must be in the same namespace of the controller
# userNameSecret:
# name: argo-postgres-config
# key: username
# passwordSecret:
# name: argo-postgres-config
# key: password
# ssl: true
# # sslMode must be one of: disable, require, verify-ca, verify-full
# # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
# sslMode: require
# mysql:
# host: localhost
# port: 3306
# database: argo
# tableName: argo_workflows
# userNameSecret:
# name: argo-mysql-config
# key: username
# passwordSecret:
# name: argo-mysql-config
# key: password
# -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
# Only valid for 2.7+
## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
workflowDefaults: {}
# spec:
# ttlStrategy:
# secondsAfterCompletion: 86400
# # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
# artifactRepositoryRef:
# configMap: my-artifact-repository # default is "artifact-repositories"
# key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
serviceAccount:
# -- Create a service account for the controller
create: true
# -- Service account name
name: ""
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- Workflow controller name string
name: workflow-controller
# -- Specify all namespaces where this workflow controller instance will manage
# workflows. This controls where the service account and RBAC resources will
# be created. Only valid when singleNamespace is false.
workflowNamespaces:
- default
logging:
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
level: info
# -- Set the glog logging level
globallevel: "0"
# -- Set the logging format (one of: `text`, `json`)
format: "text"
server:
# -- Deploy the Argo Server
enabled: true
# -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
## only updates base url of resources on client side,
## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
baseHref: /
image:
# -- Registry to use for the server
registry: quay.io
# -- Repository to use for the server
repository: argoproj/argocli
# -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
tag: ""
rbac:
# -- Adds Role and RoleBinding for the server.
create: true
# -- Servers container-level security context
serviceAccount:
# -- Create a service account for the server
create: true
# -- Service account name
name: ""
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
authModes:
- sso
## Ingress configuration.
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
# -- Enable an ingress resource
enabled: false
# Gateway API HTTPRoute configuration
# NOTE: Gateway API support is in EXPERIMENTAL status
# Support depends on your Gateway controller implementation
# Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
# Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
httproute:
# -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
enabled: true
# -- Additional HTTPRoute labels
labels: {}
# -- Additional HTTPRoute annotations
annotations: {}
# -- Gateway API parentRefs for the HTTPRoute
## Must reference an existing Gateway
# @default -- `[]` (See [values.yaml])
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: internal
namespace: kube-system
sectionName: https
# -- List of hostnames for the HTTPRoute
# @default -- `[]` (See [values.yaml])
hostnames:
- "workflows.peterg.nl"
# @default -- `[]` (See [values.yaml])
rules:
- matches:
- path:
type: PathPrefix
value: /
# filters: []
# - type: RequestHeaderModifier
# requestHeaderModifier:
# add:
# - name: X-Custom-Header
# value: custom-value
# Gateway API BackendTLSPolicy configuration
# NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
# Required for HTTPS backends when using Gateway API
# Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
backendTLSPolicy:
# -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
enabled: false
# -- Additional BackendTLSPolicy labels
labels: {}
# -- Additional BackendTLSPolicy annotations
annotations: {}
# -- Target references for the BackendTLSPolicy
# @default -- `[]` (See [values.yaml])
targetRefs: []
# - group: ""
# kind: Service
# name: argo-workflows-server
# sectionName: https
# -- TLS validation configuration
# @default -- `{}` (See [values.yaml])
validation: {}
# hostname: argo-workflows-server.argo.svc.cluster.local
# caCertificateRefs:
# - name: example-ca-cert
# group: ""
# kind: ConfigMap
# wellKnownCACertificates: System
clusterWorkflowTemplates:
# -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
enabled: true
# -- Give the server permissions to edit ClusterWorkflowTemplates.
enableEditing: true
# SSO configuration when SSO is specified as a server auth mode.
sso:
enabled: true
issuer: https://auth.peterg.nl/application/o/argo-workflows/
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: https://workflows.peterg.nl/oauth2/callback
scopes:
- groups
rbac:
enabled: true
# -- Array of extra K8s manifests to deploy
extraObjects:
- apiVersion: v1
kind: ServiceAccount
metadata:
name: admin-user
namespace: argocd-workflows
annotations:
workflows.argoproj.io/rbac-rule: "'ArgoCD Admins' in groups"
workflows.argoproj.io/rbac-rule-precedence: "1"
- apiVersion: v1
kind: ServiceAccount
metadata:
name: read-only
namespace: argocd-workflows
annotations:
workflows.argoproj.io/rbac-rule: "true"
workflows.argoproj.io/rbac-rule-precedence: "0"
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argo-workflows-admin-user
subjects:
- kind: ServiceAccount
name: admin-user
namespace: argocd-workflows
roleRef:
kind: ClusterRole
name: argo-workflows-admin
apiGroup: rbac.authorization.k8s.io
- apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: argo-workflows-read-only
subjects:
- kind: ServiceAccount
name: read-only
namespace: argocd-workflows
roleRef:
kind: ClusterRole
name: argo-workflows-view
apiGroup: rbac.authorization.k8s.io
Reference in a new issue View git blame Copy permalink