sa_8001/dsk-devops-toolchains
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

디렉토리 구조 및 각 서비스 추가

Browse Source
This commit is contained in:
dsk-minchulahn
2024-01-03 17:29:11 +09:00
parent 98de2a7627
commit d601d0f259
1632 changed files with 207616 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
helm/argo-workflows/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
ci/
*.gotmpl

20
helm/argo-workflows/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
annotations:
artifacthub.io/changes: |
- kind: fixed
description: Add HA docs and example
artifacthub.io/signKey: |
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
apiVersion: v2
appVersion: v3.4.11
description: A Helm chart for Argo Workflows
home: https://github.com/argoproj/argo-helm
icon: https://argoproj.github.io/argo-workflows/assets/logo.png
maintainers:
- name: argoproj
url: https://argoproj.github.io/
name: argo-workflows
sources:
- https://github.com/argoproj/argo-workflows
type: application
version: 0.33.3

10
helm/argo-workflows/Lab/credentails/aws-secret.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: aws-creds
type: Opaque
data:
AWS_REGION: YXAtbm9ydGhlYXN0LTI=
AWS_ACCESS_KEY_ID: QUtJQVhNVlZGM1RBVEhaTFlFSE4=
AWS_SECRET_ACCESS_KEY: MEQ4WGdmK2gzU3hKQmhBUkdpbXhETUJJbTRMUFNmQmswNlRyaEkxSA==
KMS_ARN: YXJuOmF3czprbXM6YXAtbm9ydGhlYXN0LTI6NTA4MjU5ODUxNDU3OmtleS9hNDhiMWU4OC1hOWJiLTRkODYtYTQ4MS1lZjU0ZTJmNDA0NTI=

8
helm/argo-workflows/Lab/credentails/git-secret.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: git-credentials
type: Opaque
data:
username: amFlaGVlLWp1bmc=
password: Z2hwX0FBRnJ3eGI2ZDZvYXFGdzJaRTdhUmlPUmpwSzlVcjNuNkc3bA==

18
helm/argo-workflows/Lab/credentails/kubeconfig.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMrRENDQWVDZ0F3SUJBZ0lNRnlXQnVlNTZlNTJFd2xzNU1BMEdDU3FHU0liM0RRRUJDd1VBTUJneEZqQVUKQmdOVkJBTVREV3QxWW1WeWJtVjBaWE10WTJFd0hoY05Nakl4TVRBMk1EUXpNVEV5V2hjTk16SXhNVEExTURRegpNVEV5V2pBWU1SWXdGQVlEVlFRREV3MXJkV0psY201bGRHVnpMV05oTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGCkFBT0NBUThBTUlJQkNnS0NBUUVBMElSdldJcVV3WnR4WlZhS2YyMHlFWHNyV2NWNzRzUFpJa0pwM0hqV2JMU3kKYlFkL0xiOVdzMlRRN2FNT1J4U2szTy8yVnJUU2EyWlVubDJyQnN4QThHWENnZDhENm9mcHBnN0FxTWtVQ3REOApacFBNMkFOK2UzWmlUaGlCUHA0aHRmcG4xWEEreEFVTDNsY2RqZHBJVi9vOURIR0J5YTZPSUZIUk5BblRPSWllCnpmZXg3dXZBbmZYa2xudyt6Z2VKTmE3anFhd3RSNFpVTE5Zay9MaU52MlJuVzRYQ1lSQ2ZIMWhLNlp6UG5JYk8KSjhLQzFlbnB2NFFRNXBUYU8yQ0M2RjhGSVRFcHVwNUlKWENEUllHa29Hei9Tbzc0MUdXZ0FmelhRT3hHTS93Wgp4Y2poQ3NuN2psZGRwcXQ3VWprMFV6NTVycXRHZGo5Y3JZUWRtRXlkelFJREFRQUJvMEl3UURBT0JnTlZIUThCCkFmOEVCQU1DQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVVN2SkxFTGhUcEpVd3A5UmwKYytQckpvYzVzZjB3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUlwRnBWVzBNd1JGdnRTall2ZldwdGdPMHdGUApRL1BGcTl3c0w4YzlEYjdadm04UXI0aHZVV0NRbnJjLzhzeWNCNTJoREhqbVJvdzIrOTdyT0JKaTRjOWRhMllKCkhuRVFBZEpFWVlPRjVJZ0Z0T0JVcUpjbmdxbEQzMEQ4cjFncVI4RDkxbEpiVXVzUnFWc2pSUXNvWFNGelZwSVYKTVBsQ3IrZloxVEpXSmN6RVVoRDkrNnFZUnpmUlBSU3VKdmNmUzFtbWlBaUdOaEwwZXBWN2s3eW4yUHlJTEVWQwpQcDFMcStNUGJJdnNRcnZHQnZ2aURpUCs1SXJlVUYvZzNGU1JqQVNIaGxvZ0NwZFFjZkVlQnVXNkxYdksyNUJjCk9PbUVUcXpaMm40ZTlQMUg4M25nSHVDOEdwaU1iY1VaaFlLQ0hYSXU0MEdrdkl5R0wyZTF2Vks4a2o4PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://api.k8s-prod.datasaker.io
name: dsk-prod-cluster
contexts:
- context:
cluster: dsk-prod-cluster
user: monitor-ro
name: dsk-prod-cluster
current-context: dsk-prod-cluster
kind: Config
preferences: {}
users:
- name: monitor-ro
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Ik9LMDAzSmljd1NydVNMYkc1cVg4Sk1qYW9QNDMxVEp2bmlGQ2FMaFQtQVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6Im1vbml0b3Itcm8tc2VjcmV0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6Im1vbml0b3Itcm8iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiI1ZTliZDYwNy0yZTllLTQwNWUtOGM1My00ZWU4Njg0ZTUzZjIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDptb25pdG9yLXJvIn0.otQZico3ewb89vgcZRRxP3MfWS-P25rhqahisz80Kku8XrbdiJZqff3lZxU1Snb9w1cTgvszEAB7yBDQqPWiFVKSZl8xedWJaraOHR7UvvnoclTeEtyrUNcMbG4bbljPk0sb-H-H3FR_xw6oJvRsWTSEq0z2ztMKp0R8ky4gQOl8hdFQ0eICGs1I6Gy69z9PuaVjhBNO3EIvMPJQcFtbgiXYBpAqKefRFnrJ5gW00cZhb0Jcc5OQkoTByGqMpsdCB4JpYmjA0qSo79G9JkN2iN2VaqvxUjc1MKIzpYr_2bN9PFIakue8qILVUaHQyUcSxPJN1Y0rwNVZ_xiyedhxLA

8
helm/argo-workflows/Lab/credentails/my-kubeconfig.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: my-kubeconfig
type: Opaque
data:
config: YXBpVmVyc2lvbjogdjEKY2x1c3RlcnM6Ci0gY2x1c3RlcjoKICAgIGNlcnRpZmljYXRlLWF1dGhvcml0eS1kYXRhOiBMUzB0TFMxQ1JVZEpUaUJEUlZKVVNVWkpRMEZVUlMwdExTMHRDazFKU1VNclJFTkRRV1ZEWjBGM1NVSkJaMGxOUm5sWFFuVmxOVFpsTlRKRmQyeHpOVTFCTUVkRFUzRkhVMGxpTTBSUlJVSkRkMVZCVFVKbmVFWnFRVlVLUW1kT1ZrSkJUVlJFVjNReFdXMVdlV0p0VmpCYVdFMTBXVEpGZDBob1kwNU5ha2w0VFZSQk1rMUVVWHBOVkVWNVYyaGpUazE2U1hoTlZFRXhUVVJSZWdwTlZFVjVWMnBCV1UxU1dYZEdRVmxFVmxGUlJFVjNNWEprVjBwc1kyMDFiR1JIVm5wTVYwNW9UVWxKUWtscVFVNUNaMnR4YUd0cFJ6bDNNRUpCVVVWR0NrRkJUME5CVVRoQlRVbEpRa05uUzBOQlVVVkJNRWxTZGxkSmNWVjNXblI0V2xaaFMyWXlNSGxGV0hOeVYyTldOelJ6VUZwSmEwcHdNMGhxVjJKTVUza0tZbEZrTDB4aU9WZHpNbFJSTjJGTlQxSjRVMnN6VHk4eVZuSlVVMkV5V2xWdWJESnlRbk40UVRoSFdFTm5aRGhFTm05bWNIQm5OMEZ4VFd0VlEzUkVPQXBhY0ZCTk1rRk9LMlV6V21sVWFHbENVSEEwYUhSbWNHNHhXRUVyZUVGVlRETnNZMlJxWkhCSlZpOXZPVVJJUjBKNVlUWlBTVVpJVWs1QmJsUlBTV2xsQ25wbVpYZzNkWFpCYm1aWWEyeHVkeXQ2WjJWS1RtRTNhbkZoZDNSU05GcFZURTVaYXk5TWFVNTJNbEp1VnpSWVExbFNRMlpJTVdoTE5scDZVRzVKWWs4S1NqaExRekZsYm5CMk5GRlJOWEJVWVU4eVEwTTJSamhHU1ZSRmNIVndOVWxLV0VORVVsbEhhMjlIZWk5VGJ6YzBNVWRYWjBGbWVsaFJUM2hIVFM5M1dncDRZMnBvUTNOdU4ycHNaR1J3Y1hRM1ZXcHJNRlY2TlRWeWNYUkhaR281WTNKWlVXUnRSWGxrZWxGSlJFRlJRVUp2TUVsM1VVUkJUMEpuVGxaSVVUaENDa0ZtT0VWQ1FVMURRVkZaZDBSM1dVUldVakJVUVZGSUwwSkJWWGRCZDBWQ0wzcEJaRUpuVGxaSVVUUkZSbWRSVlZOMlNreEZUR2hVY0VwVmQzQTVVbXdLWXl0UWNrcHZZelZ6WmpCM1JGRlpTa3R2V2tsb2RtTk9RVkZGVEVKUlFVUm5aMFZDUVVsd1JuQldWekJOZDFKR2RuUlRhbGwyWmxkd2RHZFBNSGRHVUFwUkwxQkdjVGwzYzB3NFl6bEVZamRhZG0wNFVYSTBhSFpWVjBOUmJuSmpMemh6ZVdOQ05USm9SRWhxYlZKdmR6SXJPVGR5VDBKS2FUUmpPV1JoTWxsS0NraHVSVkZCWkVwRldWbFBSalZKWjBaMFQwSlZjVXBqYm1keGJFUXpNRVE0Y2pGbmNWSTRSRGt4YkVwaVZYVnpVbkZXYzJwU1VYTnZXRk5HZWxad1NWWUtUVkJzUTNJclpsb3hWRXBYU21ONlJWVm9SRGtyTm5GWlVucG1VbEJTVTNWS2RtTm1VekZ0YldsQmFVZE9hRXd3WlhCV04yczNlVzR5VUhsSlRFVldRd3BRY0RGTWNTdE5VR0pKZG5OUmNuWkhRbloyYVVScFVDczFTWEpsVlVZdlp6TkdVMUpxUVZOSWFHeHZaME53WkZGalprVmxRblZYTmt4WWRrc3lOVUpqQ2s5UGJVVlVjWHBhTW00MFpUbFFNVWc0TTI1blNIVkRPRWR3YVUxaVkxVmFhRmxMUTBoWVNYVTBNRWRyZGtsNVIwd3laVEYyVmtzNGEybzRQUW90TFMwdExVVk9SQ0JEUlZKVVNVWkpRMEZVUlMwdExTMHRDZz09CiAgICBzZXJ2ZXI6IGh0dHBzOi8vYXBpLms4cy1wcm9kLmRhdGFzYWtlci5pbwogIG5hbWU6IGRzay1wcm9kLWNsdXN0ZXIKY29udGV4dHM6Ci0gY29udGV4dDoKICAgIGNsdXN0ZXI6IGRzay1wcm9kLWNsdXN0ZXIKICAgIHVzZXI6IG1vbml0b3Itcm8KICBuYW1lOiBkc2stcHJvZC1jbHVzdGVyCmN1cnJlbnQtY29udGV4dDogZHNrLXByb2QtY2x1c3RlcgpraW5kOiBDb25maWcKcHJlZmVyZW5jZXM6IHt9CnVzZXJzOgotIG5hbWU6IG1vbml0b3Itcm8KICB1c2VyOgogICAgdG9rZW46IGV5SmhiR2NpT2lKU1V6STFOaUlzSW10cFpDSTZJazlMTURBelNtbGpkMU55ZFZOTVlrYzFjVmc0U2sxcVlXOVFORE14VkVwMmJtbEdRMkZNYUZRdFFWVWlmUS5leUpwYzNNaU9pSnJkV0psY201bGRHVnpMM05sY25acFkyVmhZMk52ZFc1MElpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl1WVcxbGMzQmhZMlVpT2lKa1pXWmhkV3gwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaV055WlhRdWJtRnRaU0k2SW0xdmJtbDBiM0l0Y204dGMyVmpjbVYwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW0xdmJtbDBiM0l0Y204aUxDSnJkV0psY201bGRHVnpMbWx2TDNObGNuWnBZMlZoWTJOdmRXNTBMM05sY25acFkyVXRZV05qYjNWdWRDNTFhV1FpT2lJMVpUbGlaRFl3TnkweVpUbGxMVFF3TldVdE9HTTFNeTAwWldVNE5qZzBaVFV6WmpJaUxDSnpkV0lpT2lKemVYTjBaVzA2YzJWeWRtbGpaV0ZqWTI5MWJuUTZaR1ZtWVhWc2REcHRiMjVwZEc5eUxYSnZJbjAub3RRWmljbzNld2I4OXZnY1pSUnhQM01mV1MtUDI1cmhxYWhpc3o4MEtrdThYcmJkaUpacWZmM2xaeFUxU25iOXcxY1RndnN6RUFCN3lCRFFxUFdpRlZLU1psOHhlZFdKYXJhT0hSN1V2dm5vY2xUZUV0eXJVTmNNYkc0YmJsalBrMHNiLUgtSDNGUl94dzZvSnZSc1dUU0VxMHoyenRNS3AwUjhreTRnUU9sOGhkRlEwZUlDR3MxSTZHeTY5ejlQdWFWamhCTk8zRUl2TVBKUWNGdGJnaVhZQnBBcUtlZlJGbnJKNWdXMDBjWmhiMEpjYzVPUWtvVEJ5R3FNcHNkQ0I0SnBZbWpBMHFTbzc5RzlKa04yaU4yVmFxdnhVamMxTUtJenBZcl8yYk45UEZJYWt1ZThxSUxWVWFIUXlVY1N4UEpOMVkwcndOVlpfeGl5ZWRoeExBCg==

8
helm/argo-workflows/Lab/db-backup/bastion-ssh-key.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: bastion-ssh-key
type: Opaque
data:
ssh-key: LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUJsd0FBQUFkemMyZ3RjbgpOaEFBQUFBd0VBQVFBQUFZRUE0OXhHTFE5OGEweUFSWkNGdFA2ZFFWWDNlbTlvMEVqeVdCZDVGSTVwN0N6VXJJM0wyRDJ5CkR1ancyU1l0TTRFSU1hYWhPU0FUblBJNDFrTm9CWU85Y3UrZ0FWYzF4cVA4SjkrZm9BUE1WRmZPK0oyZ2pDRUJGYlNwRUwKZmlPNDRQN2NpZWNTWFRGdmxqby9lQndwbEEwTzl3RkxzSnN2eHo0dG9odGlWQnEwSHNkbDZnTmJkTFQrU1VBcDFJbDV3TgpTemdvUTNoS3dJYnhjckFoWlI4S3d6MjNoU1dDTC94NlMyRVlpdmY3WTVxOG8razlBQmJvMHlVMHovZUxrMTlxekpPQ0hLCkFFSlRWQ1Q4TGhMSnc3L1hDYkF6RnNDQnNXWmNVbHVVRDJqL0dMVnVBdURLd3RpRGlJemxmUDRLME04SnYyemtLT0YvRG0KM3gwSTRVT3ZZS2pNaElseUpQb3BvQWErakRVaSt3TDVJT1RiV3Y1VXpCNSswTU1EZVVaVGYyRmo4MTkyTmdTSGx1NnV3RwpKcW5BUUVQMCtpTkpYSFN2NHFZbENMMTNCd1hCbzV6TjBncmNQdGpwdVJOMk5JcHMxSkMrZHh4MUsrQzc3eVdmbVF1anZCCnF0YlI5bFZvQmtMK0xMVlpQRVZQWlgxZlZwRTE1eElFRGJNc2MrWHRBQUFGaVBVQThvYjFBUEtHQUFBQUIzTnphQzF5YzIKRUFBQUdCQU9QY1JpMFBmR3RNZ0VXUWhiVCtuVUZWOTNwdmFOQkk4bGdYZVJTT2Fld3MxS3lOeTlnOXNnN284TmttTFRPQgpDREdtb1RrZ0U1enlPTlpEYUFXRHZYTHZvQUZYTmNhai9DZmZuNkFEekZSWHp2aWRvSXdoQVJXMHFSQzM0anVPRCszSW5uCkVsMHhiNVk2UDNnY0taUU5EdmNCUzdDYkw4YytMYUliWWxRYXRCN0haZW9EVzNTMC9rbEFLZFNKZWNEVXM0S0VONFNzQ0cKOFhLd0lXVWZDc005dDRVbGdpLzhla3RoR0lyMysyT2F2S1BwUFFBVzZOTWxOTS8zaTVOZmFzeVRnaHlnQkNVMVFrL0M0Uwp5Y08vMXdtd014YkFnYkZtWEZKYmxBOW8veGkxYmdMZ3lzTFlnNGlNNVh6K0N0RFBDYjlzNUNqaGZ3NXQ4ZENPRkRyMkNvCnpJU0pjaVQ2S2FBR3ZvdzFJdnNDK1NEazIxcitWTXdlZnREREEzbEdVMzloWS9OZmRqWUVoNWJ1cnNCaWFwd0VCRDlQb2oKU1Z4MHIrS21KUWk5ZHdjRndhT2N6ZElLM0Q3WTZia1RkalNLYk5TUXZuY2NkU3ZndSs4bG41a0xvN3dhclcwZlpWYUFaQwovaXkxV1R4RlQyVjlYMWFSTmVjU0JBMnpMSFBsN1FBQUFBTUJBQUVBQUFHQUoveW5BQTlncVQvU251S2U1RVZ1ZVdISnZWCjNCeWhPVEcreDZuaVhqNXNOelN4alROZzZWcWRJdE9oNWQvbFRkaUVFU3VBQ3VFSFBkajVSaXM5MExxUmp1UG0zOGpQQ0kKTnNNaXN5VVhmWkd2UzZmMTNjR0kvRE1wSERyNDQ3U3BqUFFSQWhBK1BDRGw0SWQxNlIyVjUxU3RtYVc5TFFEcW9WdmdZSwpPbkk1TzlHSVRBbnN5YzFkZHFOZzgrQndVbXZCV04wMUZQNVB1SmNiUUJHRXJiUzZvUUE3aXlZUk53cnJ2S1g5RG05L0xXCnVma2JjR0dVMkVFR1JKelBqTHhJbi9xQmdCdzgzT3VJVDVrSXVxRHhaMEltOHVqS1RxR2UxbG5hakJHMG5yQkNHZEVSczUKUDlGRENWOEY0QkdPZlV5MGNqKyszZjg5U3RoREx2WGFLMzNrY3hpeTI2ZzhaTGQvWWZmVjF1SDBnVlFpNUlRUTVsc0hyWAozMkN4NU9YUEJmeldyNVJXcEw3T0VwUXVMcVJxZzdxU3g4N0t1eU4wUG15bnkzZkwrVUZtbjdjYVhneXhrZWliNExiaGVwClVzekRGYWdBbjE4UU1yNzJob1dyczh2ZklTMTg2eW1XYzFreTE0TzNZMWlDQ0s1VE5BQVB3S3VPSURWNllJbnIvdEFBQUEKd0hWMUhiUHZ0S0w3aHgwM2JYL29tMENSSzh3dXI2dGRJMTJRbVNzRkYrQ0JNQ1FmYUlMTDZaYVhQdDkvVWVDYm5QWnlBZQpkL0tqYVM0cWw3OVdlVHhRY2huK1Frd2V6SGJ1RDZ4WjRqUjV2WEIzc2pmMWlGcEVqVm9mdGtMK2VyT0duZjh0YzB6RTBiCllBTmlvUkpBQUVMUjJZMzlrQXJkOGREQWFmbzVYai82Y0dJUWI5ekpEdzZDb2g5SE03WW5maHdqQkpoQVBic01TUjBNUEsKNHpvTUYrenl5QXM3OVQrME1SUFUwVGV4b1RMY25GTGpPM0VHNHdBMEZ5dTBMOGt3QUFBTUVBODFJRmdMeFVZdTRJblVLbApSN0FmOHh2bnZqM1NNcEhNRURXemNCeDhqL3dNZWNoWjBrMVZwMmZCZzdwdjF1Tll1OXNGbzBvekJXdG0xZy9rcjJDYjVSCkZ6Tnh3eHpBUDg5L3RxZVA3NDVIcjBKamQ4L08yb3pCMThYTThYcVh4ZHpSSkg2dUFGUFI2N0Exby95Szk3dDAyVklqYkgKUnVwY2Z4TlpGeFZmbTF5Y1NBd1Z1N1NLK2FlUlBCbndBQk5mL3Y3Wm4rWWl0T0ozRGlHR3hSNWp4bHZtczIvR3pPNjlEZApsbFQwRGFPNkhPbWIyYTkwY0pucithc01xSGk4THZBQUFBd1FEdnZBTHpQVUhSaWY4K0RvY3VjMnUrdjlta2NyMDNhUkkrCkNoNGdXOFpSSTlmbDBKYkJ0akhwWHRVR3VleExOV0NJUlVtd3FSSnlzRFVSN0MrREVFQWlZRU1PdDZBU2JXTkw0UXgxQ3AKZkRvbTNFdGFPbTUzUTR6QURTdC81NVJtbEUrZWpad09aZEw3bWdKb1l3QmVPRUQvaHJxSXYvOEtmOU0yWW9yQTl1TWp5ZwpQNEpsb1R5V2I0WlhCOEgrUDNrbS9aWWt5ZHpBTUhaTTN4RXZVZXFkNzlIWHlHVW5BRmdSeVdQMUJIZVBmcSt6Z1lFWnVzClBqeU1IZk9manF0T01BQUFBTmNtOXZkRUIwYlhBdGRHVnpkQUVDQXdRRkJnPT0KLS0tLS1FTkQgT1BFTlNTSCBQUklWQVRFIEtFWS0tLS0tCg==

71
helm/argo-workflows/Lab/db-backup/db-backup-cron.yaml Normal file
View File

@@ -0,0 +1,71 @@
apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
name: db-backup-cron
spec:
schedule: "0 5 * * *"
timezone: "Asia/Seoul"
workflowSpec:
entrypoint: db-backup
templates:
- name: db-backup
container:
image: nexus2.exem-oss.org/dsk-middleware-backup:v2.0
env:
- name: sh_debug
value: ''
- name: MASTER_HOST
valueFrom:
secretKeyRef:
name: db-creds
key: master_host
- name: MONGO_MANIFEST_PORT
value: '30111'
- name: MONGO_DSK_PORT
value: '30112'
- name: MONGO_USERNAME
valueFrom:
secretKeyRef:
name: db-creds
key: mongo_username
- name: MONGO_PASSWORD
valueFrom:
secretKeyRef:
name: db-creds
key: mongo_password
- name: POSTGRES_PORT
value: '32098'
- name: POSTGRES_USERNAME
valueFrom:
secretKeyRef:
name: db-creds
key: postgres_username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: db-creds
key: postgres_password
- name: S3_BUCKET
value: 'dsk-middleware-backup'
- name: sse
value: 'aws:kms'
- name: AWS_DEFAULT_REGION
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_SECRET_ACCESS_KEY
- name: kms_arn
valueFrom:
secretKeyRef:
name: aws-creds
key: KMS_ARN

11
helm/argo-workflows/Lab/db-backup/db-creds.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: db-creds
type: Opaque
data:
master_host: MTcyLjI0LjEyLjExMQ==
mongo_username: cm9vdA==
mongo_password: bW9uZ28jcGFzcw==
postgres_username: cG9zdGdyZXM=
postgres_password: cm9vdA==

92
helm/argo-workflows/Lab/db-backup/test-workflow.yaml Normal file
View File

@@ -0,0 +1,92 @@
apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
name: db-backup-cron
spec:
schedule: "0 5 * * *"
timezone: "Asia/Seoul"
workflowSpec:
entrypoint: db-backup
templates:
- name: db-backup
container:
image: nexus2.exem-oss.org/dsk-middleware-backup:v3.0
command: ["sh", "-c"]
args:
- |
# SSH 키를 파일로 저장
echo -n "$SSH_KEY" > /tmp/id_rsa
chmod 600 /tmp/id_rsa
cat /tmp/id_rsa
# SSH 터널링 설정
ssh -i /tmp/id_rsa -fN -L $MONGO_MANIFEST_PORT:$MASTER_HOST:$MONGO_MANIFEST_PORT dev2@bastion.kr.datasaker.io -o StrictHostKeyChecking=no &
ssh -i /tmp/id_rsa -fN -L $MONGO_DSK_PORT:$MASTER_HOST:$MONGO_DSK_PORT dev2@bastion.kr.datasaker.io -o StrictHostKeyChecking=no &
ssh -i /tmp/id_rsa -fN -L $POSTGRES_PORT:$MASTER_HOST:$POSTGRES_PORT dev2@bastion.kr.datasaker.io -o StrictHostKeyChecking=no &
chmod +x /backup.sh
/backup.sh
env:
- name: SSH_KEY
valueFrom:
secretKeyRef:
name: bastion-ssh-key
key: ssh-key
- name: sh_debug
value: ''
- name: MASTER_HOST
valueFrom:
secretKeyRef:
name: db-creds
key: master_host
- name: MONGO_MANIFEST_PORT
value: '30111'
- name: MONGO_DSK_PORT
value: '30112'
- name: MONGO_USERNAME
valueFrom:
secretKeyRef:
name: db-creds
key: mongo_username
- name: MONGO_PASSWORD
valueFrom:
secretKeyRef:
name: db-creds
key: mongo_password
- name: POSTGRES_PORT
value: '32098'
- name: POSTGRES_USERNAME
valueFrom:
secretKeyRef:
name: db-creds
key: postgres_username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: db-creds
key: postgres_password
- name: S3_BUCKET
value: 'dsk-middleware-backup'
- name: sse
value: 'aws:kms'
- name: AWS_DEFAULT_REGION
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_SECRET_ACCESS_KEY
- name: kms_arn
valueFrom:
secretKeyRef:
name: aws-creds
key: KMS_ARN
restartPolicy: OnFailure

190
helm/argo-workflows/Lab/script.sh Normal file
View File

@@ -0,0 +1,190 @@
#!/bin/bash
#------------------------------------------------------------------------------------------------------
__init (){
datetime=`date "+%Y.%m.%d %H:%M:%S"`
echo -e "*current time : ${datetime}\n" > ${file}
cat ${origin} >> ${file}
}
#------------------------------------------------------------------------------------------------------
__append (){
line_count=`cat ${exec_log} | grep -v -- -- | egrep -v '(name|ri_count)' | wc -l`
echo -e "\n${title} [${line_count}]\n" >> ${file}
cat ${exec_log} >> ${file}
}
#------------------------------------------------------------------------------------------------------
__query_exec (){
steampipe query "${1}" > ${exec_log}
__log_sed
}
#------------------------------------------------------------------------------------------------------
__log_sed (){
sed -i 's/+/|/g' ${exec_log}
sed -i "s/node-role.kubernetes.io\///g" ${exec_log}
sed -i '1d;$d' ${exec_log}
}
#------------------------------------------------------------------------------------------------------
node_query="""
SELECT
name,
annotations ->> 'projectcalico.org/IPv4Address' AS IP,
COALESCE(taints -> 0 ->> 'key', '-') AS Taints_key,
COALESCE(tags ->> 'kops.k8s.io/instancegroup', '-') AS Instance_group,
capacity ->> 'cpu' AS CPU,
CEIL((CAST(regexp_replace(capacity ->> 'memory', 'Ki', '') AS FLOAT) / 1024 / 1024)) AS Memory,
tags ->> 'topology.kubernetes.io/zone' AS Zone,
tags ->> 'beta.kubernetes.io/instance-type' AS Instance_type,
node_info ->> 'osImage' AS OS,
node_info ->> 'kubeletVersion' AS K8S_ver,
node_info ->> 'containerRuntimeVersion' AS Runtime_ver
FROM
kubernetes_node
ORDER BY
Taints_key
"""
resources_query="""
(SELECT
'sts' as kind,
name,
available_replicas as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_stateful_set
WHERE
name not like 'rel-%')
union
(SELECT
'deploy' as kind,
name,
available_replicas as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_deployment
WHERE
name not like 'rel-%')
union
(SELECT
'ds' as kind,
name,
number_available as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_daemonset
WHERE
name not like 'rel-%')
order by kind
"""
service_query="""
SELECT
name,
namespace,
type,
lower(p ->> 'nodePort') as Node_Port,
age(current_timestamp, creation_timestamp)
FROM
kubernetes_service,
jsonb_array_elements(ports) as p
WHERE
type='NodePort'
ORDER BY
Node_Port
"""
#name not like '%rel-%'
aws_ri_query="""
SELECT
COALESCE(a.availability_zone, b.availability_zone, '-') AS availability_zone,
COALESCE(a.instance_type, b.instance_type, c.instance_type, '-') AS instance_type,
COALESCE(c.cpu, 0) AS cpu,
COALESCE(c.memory, 0) AS memory,
COALESCE(a.ri_count, 0) AS ri_count,
COALESCE(b.ec2_count, 0) AS ec2_count,
COALESCE(b.ec2_count, 0) - COALESCE(a.ri_count, 0) AS result
FROM
(SELECT
availability_zone,
instance_type,
SUM(instance_count) AS ri_count
FROM
aws_ec2_reserved_instance
WHERE
instance_state='active'
GROUP BY
availability_zone,
instance_type
) a
FULL OUTER JOIN
(SELECT
placement_availability_zone AS availability_zone,
instance_type,
COUNT(*) AS ec2_count
FROM
aws_ec2_instance
WHERE
instance_state='running' AND
instance_lifecycle!='spot'
GROUP BY
availability_zone,
instance_type
) b
ON
a.availability_zone = b.availability_zone AND
a.instance_type = b.instance_type
INNER JOIN
(SELECT
instance_type,
(CAST(memory_info ->> 'SizeInMiB' AS FLOAT) / 1024) AS memory,
(CAST(v_cpu_info ->> 'DefaultCores' AS FLOAT) * 2) AS cpu
FROM
aws_ec2_instance_type
WHERE
instance_type in (SELECT instance_type FROM aws_ec2_instance WHERE instance_state='running')
GROUP BY
instance_type, memory, cpu
) c
ON
COALESCE(a.instance_type, b.instance_type, '-') = c.instance_type
ORDER BY availability_zone
"""
#instance_type in (SELECT instance_type FROM aws_ec2_instance WHERE instance_state='running' AND instance_lifecycle!='spot')
#------------------------------------------------------------------------------------------------------
origin="org_README.md"
exec_log="/shared-data/query.log"
file="/shared-data/README2.md"
#------------------------------------------------------------------------------------------------------
__init
title="## 노드 목록"
__query_exec "${node_query}"
__append
title="## 리소스 목록"
__query_exec "${resources_query}"
__append
title="## 서비스 목록 (NodePort)"
__query_exec "${service_query}"
__append
title="## 예약 인스턴스 사용 내역"
__query_exec "${aws_ri_query}"
__append
#------------------------------------------------------------------------------------------------------
rm ${exec_log}

11
helm/argo-workflows/Lab/steampipe-dashboard/00_Old/test-pod.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: steampipe
spec:
containers:
- name: steampipe
image: ghcr.io/turbot/steampipe:latest
command: ["/bin/bash"]
args: ["-c", "while true; do sleep 10; done"]

112
helm/argo-workflows/Lab/steampipe-dashboard/00_Old/test-workflow.yaml Normal file
View File

@@ -0,0 +1,112 @@
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: scripts-bash-
spec:
entrypoint: bash-script-example
volumes:
- name: script-volume
configMap:
name: steampipe-script
- name: kubeconfig
secret:
secretName: my-kubeconfig
volumeClaimTemplates:
- metadata:
name: shared-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
templates:
- name: bash-script-example
dag:
tasks:
- name: steampipe
template: steampipe
- name: git
template: git
dependencies:
- steampipe
- name: steampipe
script:
image: ghcr.io/turbot/steampipe:latest
command: [bash]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
- name: kubeconfig
mountPath: /kubeconfig
env:
- name: AWS_REGION
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_SECRET_ACCESS_KEY
- name: KMS_ARN
valueFrom:
secretKeyRef:
name: aws-creds
key: KMS_ARN
- name: KUBECONFIG
value: /kubeconfig/config
source: |
# 쿼리 결과를 공유 볼륨에 저장
steampipe plugin install aws
steampipe plugin install kubernetes
sleep 1
steampipe service restart --force
sleep 1
cd /shared-data/
sleep 1
bash /scripts/script.sh
- name: git
script:
image: alpine/git:latest
command: [sh]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
env:
- name: GIT_USERNAME
valueFrom:
secretKeyRef:
name: git-credentials
key: username
- name: GIT_PASSWORD
valueFrom:
secretKeyRef:
name: git-credentials
key: password
source: |
git config --global credential.helper 'store --file /tmp/credentials'
echo "https://${GIT_USERNAME}:${GIT_PASSWORD}@github.com" > /tmp/credentials
git config --global user.email "havelight@ex-em.com"
git config --global user.name "jaehee-jung"
cd /shared-data # 경로 내의 파일 목록 확인
git clone https://github.com/CloudMOA/dsk-iac.git
# 공유 볼륨에서 쿼리 결과 읽기
cp README2.md dsk-iac/README.md
# 커밋 및 푸시 작업 수행
cd dsk-iac
git add README.md
git commit -m "Update README with query result"
git push

143
helm/argo-workflows/Lab/steampipe-dashboard/cron-steampipe-report.yaml Normal file
View File

@@ -0,0 +1,143 @@
apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
name: steampipe-aws-report
spec:
schedule: "0 8 * * *"
timezone: "Asia/Seoul"
workflowSpec:
entrypoint: bash-script-example
volumes:
- name: script-volume
configMap:
name: steampipe-script
- name: kubeconfig
secret:
secretName: my-kubeconfig
volumeClaimTemplates:
- metadata:
name: shared-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
templates:
- name: bash-script-example
dag:
tasks:
- name: git-steampipe
template: git-steampipe
- name: steampipe
template: steampipe
dependencies:
- git-steampipe
- name: git-argo-workflows
template: git-argo-workflows
dependencies:
- steampipe
- name: steampipe
script:
image: ghcr.io/turbot/steampipe:latest
command: [bash]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
- name: kubeconfig
mountPath: /kubeconfig
env:
- name: AWS_REGION
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_SECRET_ACCESS_KEY
- name: KMS_ARN
valueFrom:
secretKeyRef:
name: aws-creds
key: KMS_ARN
- name: KUBECONFIG
value: /kubeconfig/config
source: |
# 쿼리 결과를 공유 볼륨에 저장
steampipe plugin install aws
sleep 3
steampipe service restart --force
sleep 1
cd /shared-data/steampipe-mod-aws-compliance
steampipe check benchmark.foundational_security --output=md > ../README.md
sleep 1
- name: git-steampipe
script:
image: alpine/git:latest
command: [sh]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
env:
- name: GIT_USERNAME
valueFrom:
secretKeyRef:
name: git-credentials
key: username
- name: GIT_PASSWORD
valueFrom:
secretKeyRef:
name: git-credentials
key: password
source: |
cd /shared-data/
git clone https://github.com/turbot/steampipe-mod-aws-compliance.git
- name: git-argo-workflows
script:
image: alpine/git:latest
command: [sh]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
env:
- name: GIT_USERNAME
valueFrom:
secretKeyRef:
name: git-credentials
key: username
- name: GIT_PASSWORD
valueFrom:
secretKeyRef:
name: git-credentials
key: password
source: |
cd /shared-data/
git config --global credential.helper 'store --file /tmp/credentials'
echo "https://${GIT_USERNAME}:${GIT_PASSWORD}@github.com" > /tmp/credentials
git config --global user.email "havelight@ex-em.com"
git config --global user.name "jaehee-jung"
git clone https://github.com/CloudMOA/argo-workflows.git
# 공유 볼륨에서 쿼리 결과 읽기
cp README.md argo-workflows/README.md
# 커밋 및 푸시 작업 수행
cd argo-workflows
git add README.md
git commit -m "Update README with query result"
git push

200
helm/argo-workflows/Lab/steampipe-dashboard/steampipe_configmap.yaml Normal file
View File

@@ -0,0 +1,200 @@
kind: ConfigMap
metadata:
annotations:
name: steampipe-script
namespace: argo-workflows
apiVersion: v1
data:
script.sh: |
#!/bin/bash
#------------------------------------------------------------------------------------------------------
__init (){
touch ${origin}
touch ${exec_log}
datetime=`TZ='Asia/Seoul' date "+%Y.%m.%d %H:%M:%S"`
echo -e "*update time : ${datetime}\n" > ${file}
cat ${origin} >> ${file}
}
#------------------------------------------------------------------------------------------------------
__append (){
line_count=`cat ${exec_log} | grep -v -- -- | egrep -v '(name|ri_count)' | wc -l`
echo -e "\n${title} [${line_count}]\n" >> ${file}
cat ${exec_log} >> ${file}
}
#------------------------------------------------------------------------------------------------------
__query_exec (){
steampipe query "${1}" > ${exec_log}
__log_sed
}
#------------------------------------------------------------------------------------------------------
__log_sed (){
sed -i 's/+/|/g' ${exec_log}
sed -i "s/node-role.kubernetes.io\///g" ${exec_log}
sed -i '1d;$d' ${exec_log}
}
#------------------------------------------------------------------------------------------------------
node_query="""
SELECT
name,
annotations ->> 'projectcalico.org/IPv4Address' AS IP,
COALESCE(taints -> 0 ->> 'key', '-') AS Taints_key,
COALESCE(tags ->> 'kops.k8s.io/instancegroup', '-') AS Instance_group,
capacity ->> 'cpu' AS CPU,
CEIL((CAST(regexp_replace(capacity ->> 'memory', 'Ki', '') AS FLOAT) / 1024 / 1024)) AS Memory,
tags ->> 'topology.kubernetes.io/zone' AS Zone,
tags ->> 'beta.kubernetes.io/instance-type' AS Instance_type,
node_info ->> 'osImage' AS OS,
node_info ->> 'kubeletVersion' AS K8S_ver,
node_info ->> 'containerRuntimeVersion' AS Runtime_ver
FROM
kubernetes_node
ORDER BY
Taints_key
"""
resources_query="""
(SELECT
'sts' as kind,
name,
available_replicas as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_stateful_set
WHERE
name not like 'rel-%')
union
(SELECT
'deploy' as kind,
name,
available_replicas as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_deployment
WHERE
name not like 'rel-%')
union
(SELECT
'ds' as kind,
name,
number_available as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_daemonset
WHERE
name not like 'rel-%')
order by kind
"""
service_query="""
SELECT
name,
namespace,
type,
lower(p ->> 'nodePort') as Node_Port,
age(current_timestamp, creation_timestamp)
FROM
kubernetes_service,
jsonb_array_elements(ports) as p
WHERE
type='NodePort'
ORDER BY
Node_Port
"""
#name not like '%rel-%'
aws_ri_query="""
SELECT
COALESCE(a.availability_zone, b.availability_zone, '-') AS availability_zone,
COALESCE(a.instance_type, b.instance_type, c.instance_type, '-') AS instance_type,
COALESCE(c.cpu, 0) AS cpu,
COALESCE(c.memory, 0) AS memory,
COALESCE(a.ri_count, 0) AS ri_count,
COALESCE(b.ec2_count, 0) AS ec2_count,
COALESCE(b.ec2_count, 0) - COALESCE(a.ri_count, 0) AS result
FROM
(SELECT
availability_zone,
instance_type,
SUM(instance_count) AS ri_count
FROM
aws_ec2_reserved_instance
WHERE
instance_state='active'
GROUP BY
availability_zone,
instance_type
) a
FULL OUTER JOIN
(SELECT
placement_availability_zone AS availability_zone,
instance_type,
COUNT(*) AS ec2_count
FROM
aws_ec2_instance
WHERE
instance_state='running' AND
instance_lifecycle!='spot'
GROUP BY
availability_zone,
instance_type
) b
ON
a.availability_zone = b.availability_zone AND
a.instance_type = b.instance_type
INNER JOIN
(SELECT
instance_type,
(CAST(memory_info ->> 'SizeInMiB' AS FLOAT) / 1024) AS memory,
(CAST(v_cpu_info ->> 'DefaultCores' AS FLOAT) * 2) AS cpu
FROM
aws_ec2_instance_type
WHERE
instance_type in (SELECT instance_type FROM aws_ec2_instance WHERE instance_state='running')
GROUP BY
instance_type, memory, cpu
) c
ON
COALESCE(a.instance_type, b.instance_type, '-') = c.instance_type
ORDER BY availability_zone
"""
#instance_type in (SELECT instance_type FROM aws_ec2_instance WHERE instance_state='running' AND instance_lifecycle!='spot')
#------------------------------------------------------------------------------------------------------
origin="/shared-data/org_README.md"
exec_log="/shared-data/query.log"
file="/shared-data/README2.md"
#------------------------------------------------------------------------------------------------------
__init
title="## 노드 목록"
__query_exec "${node_query}"
__append
title="## 리소스 목록"
__query_exec "${resources_query}"
__append
title="## 서비스 목록 (NodePort)"
__query_exec "${service_query}"
__append
title="## 예약 인스턴스 사용 내역"
__query_exec "${aws_ri_query}"
__append
#------------------------------------------------------------------------------------------------------
rm ${exec_log}

11
helm/argo-workflows/Lab/steampipe-dsk-iac/00_Old/test-pod.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Pod
metadata:
name: steampipe
spec:
containers:
- name: steampipe
image: ghcr.io/turbot/steampipe:latest
command: ["/bin/bash"]
args: ["-c", "while true; do sleep 10; done"]

112
helm/argo-workflows/Lab/steampipe-dsk-iac/00_Old/test-workflow.yaml Normal file
View File

@@ -0,0 +1,112 @@
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: scripts-bash-
spec:
entrypoint: bash-script-example
volumes:
- name: script-volume
configMap:
name: steampipe-script
- name: kubeconfig
secret:
secretName: my-kubeconfig
volumeClaimTemplates:
- metadata:
name: shared-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
templates:
- name: bash-script-example
dag:
tasks:
- name: steampipe
template: steampipe
- name: git
template: git
dependencies:
- steampipe
- name: steampipe
script:
image: ghcr.io/turbot/steampipe:latest
command: [bash]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
- name: kubeconfig
mountPath: /kubeconfig
env:
- name: AWS_REGION
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_SECRET_ACCESS_KEY
- name: KMS_ARN
valueFrom:
secretKeyRef:
name: aws-creds
key: KMS_ARN
- name: KUBECONFIG
value: /kubeconfig/config
source: |
# 쿼리 결과를 공유 볼륨에 저장
steampipe plugin install aws
steampipe plugin install kubernetes
sleep 1
steampipe service restart --force
sleep 1
cd /shared-data/
sleep 1
bash /scripts/script.sh
- name: git
script:
image: alpine/git:latest
command: [sh]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
env:
- name: GIT_USERNAME
valueFrom:
secretKeyRef:
name: git-credentials
key: username
- name: GIT_PASSWORD
valueFrom:
secretKeyRef:
name: git-credentials
key: password
source: |
git config --global credential.helper 'store --file /tmp/credentials'
echo "https://${GIT_USERNAME}:${GIT_PASSWORD}@github.com" > /tmp/credentials
git config --global user.email "havelight@ex-em.com"
git config --global user.name "jaehee-jung"
cd /shared-data # 경로 내의 파일 목록 확인
git clone https://github.com/CloudMOA/dsk-iac.git
# 공유 볼륨에서 쿼리 결과 읽기
cp README2.md dsk-iac/README.md
# 커밋 및 푸시 작업 수행
cd dsk-iac
git add README.md
git commit -m "Update README with query result"
git push

115
helm/argo-workflows/Lab/steampipe-dsk-iac/cron-steampipe.yaml Normal file
View File

@@ -0,0 +1,115 @@
apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
name: steampipe-iac-cron
spec:
schedule: "0 8 * * *"
timezone: "Asia/Seoul"
workflowSpec:
entrypoint: bash-script-example
volumes:
- name: script-volume
configMap:
name: steampipe-script
- name: kubeconfig
secret:
secretName: my-kubeconfig
volumeClaimTemplates:
- metadata:
name: shared-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
templates:
- name: bash-script-example
dag:
tasks:
- name: steampipe
template: steampipe
- name: git
template: git
dependencies:
- steampipe
- name: steampipe
script:
image: ghcr.io/turbot/steampipe:latest
command: [bash]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
- name: kubeconfig
mountPath: /kubeconfig
env:
- name: AWS_REGION
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_REGION
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-creds
key: AWS_SECRET_ACCESS_KEY
- name: KMS_ARN
valueFrom:
secretKeyRef:
name: aws-creds
key: KMS_ARN
- name: KUBECONFIG
value: /kubeconfig/config
source: |
# 쿼리 결과를 공유 볼륨에 저장
steampipe plugin install aws
steampipe plugin install kubernetes
sleep 3
steampipe service restart --force
sleep 1
cd /shared-data/
sleep 1
bash /scripts/script.sh
- name: git
script:
image: alpine/git:latest
command: [sh]
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: script-volume
mountPath: /scripts
env:
- name: GIT_USERNAME
valueFrom:
secretKeyRef:
name: git-credentials
key: username
- name: GIT_PASSWORD
valueFrom:
secretKeyRef:
name: git-credentials
key: password
source: |
git config --global credential.helper 'store --file /tmp/credentials'
echo "https://${GIT_USERNAME}:${GIT_PASSWORD}@github.com" > /tmp/credentials
git config --global user.email "havelight@ex-em.com"
git config --global user.name "jaehee-jung"
cd /shared-data # 경로 내의 파일 목록 확인
git clone https://github.com/CloudMOA/dsk-iac.git
# 공유 볼륨에서 쿼리 결과 읽기
cp README2.md dsk-iac/README.md
# 커밋 및 푸시 작업 수행
cd dsk-iac
git add README.md
git commit -m "Update README with query result"
git push

200
helm/argo-workflows/Lab/steampipe-dsk-iac/steampipe_configmap.yaml Normal file
View File

@@ -0,0 +1,200 @@
kind: ConfigMap
metadata:
annotations:
name: steampipe-script
namespace: argo-workflows
apiVersion: v1
data:
script.sh: |
#!/bin/bash
#------------------------------------------------------------------------------------------------------
__init (){
touch ${origin}
touch ${exec_log}
datetime=`TZ='Asia/Seoul' date "+%Y.%m.%d %H:%M:%S"`
echo -e "*update time : ${datetime}\n" > ${file}
cat ${origin} >> ${file}
}
#------------------------------------------------------------------------------------------------------
__append (){
line_count=`cat ${exec_log} | grep -v -- -- | egrep -v '(name|ri_count)' | wc -l`
echo -e "\n${title} [${line_count}]\n" >> ${file}
cat ${exec_log} >> ${file}
}
#------------------------------------------------------------------------------------------------------
__query_exec (){
steampipe query "${1}" > ${exec_log}
__log_sed
}
#------------------------------------------------------------------------------------------------------
__log_sed (){
sed -i 's/+/|/g' ${exec_log}
sed -i "s/node-role.kubernetes.io\///g" ${exec_log}
sed -i '1d;$d' ${exec_log}
}
#------------------------------------------------------------------------------------------------------
node_query="""
SELECT
name,
annotations ->> 'projectcalico.org/IPv4Address' AS IP,
COALESCE(taints -> 0 ->> 'key', '-') AS Taints_key,
COALESCE(tags ->> 'kops.k8s.io/instancegroup', '-') AS Instance_group,
capacity ->> 'cpu' AS CPU,
CEIL((CAST(regexp_replace(capacity ->> 'memory', 'Ki', '') AS FLOAT) / 1024 / 1024)) AS Memory,
tags ->> 'topology.kubernetes.io/zone' AS Zone,
tags ->> 'beta.kubernetes.io/instance-type' AS Instance_type,
node_info ->> 'osImage' AS OS,
node_info ->> 'kubeletVersion' AS K8S_ver,
node_info ->> 'containerRuntimeVersion' AS Runtime_ver
FROM
kubernetes_node
ORDER BY
Taints_key
"""
resources_query="""
(SELECT
'sts' as kind,
name,
available_replicas as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_stateful_set
WHERE
name not like 'rel-%')
union
(SELECT
'deploy' as kind,
name,
available_replicas as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_deployment
WHERE
name not like 'rel-%')
union
(SELECT
'ds' as kind,
name,
number_available as count,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'cpu' AS request_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'requests' ->> 'memory' AS request_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'cpu' AS limit_cpu,
jsonb_array_elements(template -> 'spec' -> 'containers') -> 'resources' -> 'limits' ->> 'memory' AS limit_mem,
jsonb_array_elements(template -> 'spec' -> 'containers') ->> 'name' AS c_name,
namespace
FROM
kubernetes_daemonset
WHERE
name not like 'rel-%')
order by kind
"""
service_query="""
SELECT
name,
namespace,
type,
lower(p ->> 'nodePort') as Node_Port,
age(current_timestamp, creation_timestamp)
FROM
kubernetes_service,
jsonb_array_elements(ports) as p
WHERE
type='NodePort'
ORDER BY
Node_Port
"""
#name not like '%rel-%'
aws_ri_query="""
SELECT
COALESCE(a.availability_zone, b.availability_zone, '-') AS availability_zone,
COALESCE(a.instance_type, b.instance_type, c.instance_type, '-') AS instance_type,
COALESCE(c.cpu, 0) AS cpu,
COALESCE(c.memory, 0) AS memory,
COALESCE(a.ri_count, 0) AS ri_count,
COALESCE(b.ec2_count, 0) AS ec2_count,
COALESCE(b.ec2_count, 0) - COALESCE(a.ri_count, 0) AS result
FROM
(SELECT
availability_zone,
instance_type,
SUM(instance_count) AS ri_count
FROM
aws_ec2_reserved_instance
WHERE
instance_state='active'
GROUP BY
availability_zone,
instance_type
) a
FULL OUTER JOIN
(SELECT
placement_availability_zone AS availability_zone,
instance_type,
COUNT(*) AS ec2_count
FROM
aws_ec2_instance
WHERE
instance_state='running' AND
instance_lifecycle!='spot'
GROUP BY
availability_zone,
instance_type
) b
ON
a.availability_zone = b.availability_zone AND
a.instance_type = b.instance_type
INNER JOIN
(SELECT
instance_type,
(CAST(memory_info ->> 'SizeInMiB' AS FLOAT) / 1024) AS memory,
(CAST(v_cpu_info ->> 'DefaultCores' AS FLOAT) * 2) AS cpu
FROM
aws_ec2_instance_type
WHERE
instance_type in (SELECT instance_type FROM aws_ec2_instance WHERE instance_state='running')
GROUP BY
instance_type, memory, cpu
) c
ON
COALESCE(a.instance_type, b.instance_type, '-') = c.instance_type
ORDER BY availability_zone
"""
#instance_type in (SELECT instance_type FROM aws_ec2_instance WHERE instance_state='running' AND instance_lifecycle!='spot')
#------------------------------------------------------------------------------------------------------
origin="/shared-data/org_README.md"
exec_log="/shared-data/query.log"
file="/shared-data/README2.md"
#------------------------------------------------------------------------------------------------------
__init
title="## 노드 목록"
__query_exec "${node_query}"
__append
title="## 리소스 목록"
__query_exec "${resources_query}"
__append
title="## 서비스 목록 (NodePort)"
__query_exec "${service_query}"
__append
title="## 예약 인스턴스 사용 내역"
__query_exec "${aws_ri_query}"
__append
#------------------------------------------------------------------------------------------------------
rm ${exec_log}

34
helm/argo-workflows/Lab/steampipe.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: scripts-bash-
spec:
entrypoint: bash-script-example
templates:
- name: bash-script-example
steps:
- - name: generate
template: steampipe
- - name: print
template: print-message
arguments:
parameters:
- name: message
value: "{{steps.generate.outputs.result}}"
- name: steampipe
script:
image: ghcr.io/turbot/steampipe:latest
command: [bash]
source: |
steampipe
- name: print-message
inputs:
parameters:
- name: message
container:
image: alpine:latest
command: [sh, -c]
args: ["echo result was: {{inputs.parameters.message}}"]

6
helm/argo-workflows/Lab/test.sh Normal file
View File

@@ -0,0 +1,6 @@
GIT_USERNAME="jaehee-jung"
GIT_PASSWORD="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"
git config --global credential.helper 'store --file /etc/git/credentials'
echo "https://${GIT_USERNAME}:${GIT_PASSWORD}@github.com" > /etc/git/credentials

49
helm/argo-workflows/Lab/ui-monitoring/cron_ui_monitoring.yaml Normal file
View File

@@ -0,0 +1,49 @@
apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
name: ui-monitoring-cron
spec:
schedule: "0 * * * *"
timezone: "Asia/Seoul"
workflowSpec:
entrypoint: python-example
volumes:
- name: config-volume
configMap:
name: ui-monitoring
volumeClaimTemplates:
- metadata:
name: shared-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
templates:
- name: python-example
dag:
tasks:
- name: ui-monitoring
template: ui-monitoring
- name: ui-monitoring
container:
image: nexus2.exem-oss.org/ui_monitoring:v0.6
command: ["sh", "-c"]
args:
- |
echo "======================================"
python /tmp/dsk_playwright.py
echo "======================================"
echo -n "$SSH_KEY" > /tmp/id_rsa
chmod 600 /tmp/id_rsa
scp -i /tmp/id_rsa -o StrictHostKeyChecking=no -rp /shared-data/*_screenshot* root@10.10.43.98:/tmp/
env:
- name: SSH_KEY
valueFrom:
secretKeyRef:
name: bastion-ssh-key
key: ssh-key
volumeMounts:
- name: shared-data
mountPath: /shared-data

37
helm/argo-workflows/Lab/ui-monitoring/cron_ui_monitoring.yaml_bak Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
name: ui-monitoring-cron
spec:
schedule: "0 * * * *"
timezone: "Asia/Seoul"
workflowSpec:
entrypoint: python-example
volumes:
- name: config-volume
configMap:
name: ui-monitoring
volumeClaimTemplates:
- metadata:
name: shared-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
templates:
- name: python-example
dag:
tasks:
- name: ui-monitoring
template: ui-monitoring
- name: ui-monitoring
script:
image: nexus2.exem-oss.org/ui_monitoring:v0.2
volumeMounts:
- name: shared-data
mountPath: /shared-data
- name: config-volume
mountPath: /tmp/config.json
subPath: config.json

62
helm/argo-workflows/Lab/ui-monitoring/test/cron_ui_monitoring.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
name: ui-monitoring-cron-test
spec:
schedule: "0 * * * *"
timezone: "Asia/Seoul"
workflowSpec:
entrypoint: python-example
volumes:
- name: config-volume
configMap:
name: ui-monitoring
volumeClaimTemplates:
- metadata:
name: shared-data-{{workflow.name}}
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 1Gi
templates:
- name: python-example
dag:
tasks:
- name: ui-monitoring
template: ui-monitoring
- name: move-capture
template: scp
dependencies:
- ui-monitoring
- name: ui-monitoring
script:
image: nexus2.exem-oss.org/ui_monitoring:v0.3
volumeMounts:
- name: shared-data-{{workflow.name}}
mountPath: /shared-data
- name: config-volume
mountPath: /tmp/config.json
subPath: config.json
- name: scp
container:
image: nexus2.exem-oss.org/dsk-openssh-client:v1.0
command: ["sh", "-c"]
args:
- |
echo -n "$SSH_KEY" > /tmp/id_rsa
chmod 600 /tmp/id_rsa
while true; do sleep 1; done
scp -i /tmp/id_rsa -o StrictHostKeyChecking=no -rp /shared-data/*_screenshot* root@10.10.43.98:/tmp/
scp -i /tmp/id_rsa -o StrictHostKeyChecking=no -rp /shared-data/*_error* root@10.10.43.98:/tmp/
env:
- name: SSH_KEY
valueFrom:
secretKeyRef:
name: bastion-ssh-key
key: ssh-key
volumeMounts:
- name: shared-data-{{workflow.name}}
mountPath: /shared-data

16
helm/argo-workflows/Lab/ui-monitoring/ui_monitoring_configmap.yaml Normal file
View File

@@ -0,0 +1,16 @@
kind: ConfigMap
metadata:
annotations:
name: ui-monitoring
namespace: argo-workflows
apiVersion: v1
data:
config.json: |
{
"dsk_url": "https://app.kr.datasaker.io",
"dsk_username": "support@ex-em.com",
"dsk_password": "saasadmin12#$",
"slack_webhook_url" : "https://hooks.slack.com/services/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",
"timeout": 10000
}

376
helm/argo-workflows/README.md Normal file
View File

@@ -0,0 +1,376 @@
# Argo Workflows Chart
This is a **community maintained** chart. It is used to set up argo and its needed dependencies through one command. This is used in conjunction with [helm](https://github.com/kubernetes/helm).
If you want your deployment of this helm chart to most closely match the [argo CLI](https://github.com/argoproj/argo-workflows), you should deploy it in the `kube-system` namespace.
## Pre-Requisites
### Custom resource definitions
Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart.
Helm cannot upgrade custom resource definitions in the `<chart>/crds` folder [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). Starting with 3.4.0 (chart version 0.19.0), the CRDs have been moved to `<chart>/templates` to address this design decision.
If you are using Argo Workflows chart version prior to 3.4.0 (chart version 0.19.0) or have elected to manage the Argo Workflows CRDs outside of the chart, please use `kubectl` to upgrade CRDs manually from [templates/crds](templates/crds/) folder or via the manifests from the upstream project repo:
```bash
kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=<appVersion>"
# Eg. version v3.3.9
kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v3.3.9"
```
### ServiceAccount for Workflow Spec
In order for each Workflow run, you create ServiceAccount via `values.yaml` like below.
```yaml
workflow:
serviceAccount:
create: true
name: "argo-workflow"
rbac:
create: true
controller:
workflowNamespaces:
- default
- foo
- bar
```
Set ServiceAccount on Workflow.
```yaml
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
generateName: hello-world-
spec:
entrypoint: whalesay
serviceAccountName: argo-workflow # Set ServiceAccount
templates:
- name: whalesay
container:
image: docker/whalesay
command: [ cowsay ]
args: [ "hello world" ]
```
## Installing the Chart
To install the chart with the release name `my-release`:
```console
$ helm repo add argo https://argoproj.github.io/argo-helm
"argo" has been added to your repositories
$ helm install my-release argo/argo-workflows
NAME: my-release
...
```
## Changelog
For full list of changes, please check ArtifactHub [changelog].
## Usage Notes
### High Availability
This chart installs the non-HA version of Argo Workflows by default. If you want to run in HA mode, you can use [these example values](ci/ha-values.yaml) as a starting point.
Please see the upstream [Operator Manual's High Availability page](https://argoproj.github.io/argo-workflows/high-availability/) to understand how to scale Argo Workflows in depth.
### Workflow controller
This chart defaults to setting the `controller.instanceID.enabled` to `false` now, which means the deployed controller will act upon any workflow deployed to the cluster. If you would like to limit the behavior and deploy multiple workflow controllers, please use the `controller.instanceID.enabled` attribute along with one of its configuration options to set the `instanceID` of the workflow controller to be properly scoped for your needs.
### Workflow server authentication
By default, the chart requires some kind of authentication mechanism. This adopts the [default behaviour from the Argo project](https://github.com/argoproj/argo-workflows/pull/5211) itself. However, for local development purposes, or cases where your gateway authentication is covered by some other means, you can set the authentication mode for the Argo server by setting the `server.extraArgs: [--auth-mode=server]`. There are a few additional comments in the values.yaml file itself, including commented-out settings to disable authentication on the server UI itself using the same `--auth-mode=server` setting.
## Values
The `values.yaml` contains items used to tweak a deployment of this chart.
Fields to note:
- `controller.instanceID.enabled`: If set to true, the Argo Controller will **ONLY** monitor Workflow submissions with a `--instanceid` attribute
- `controller.instanceID.useReleaseName`: If set to true then chart set controller instance id to release name
- `controller.instanceID.explicitID`: Allows customization of an instance id for the workflow controller to monitor
- `singleNamespace`: When true, restricts the workflow controller to operate
in just the single namespace (that one of the Helm release).
- `controller.workflowNamespaces`: This is a list of namespaces where the
workflow controller will manage workflows. Only valid when `singleNamespace`
is false.
### General parameters
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| apiVersionOverrides.autoscaling | string | `""` | String to override apiVersion of autoscaling rendered by this helm chart |
| apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart |
| crds.annotations | object | `{}` | Annotations to be added to all CRDs |
| crds.install | bool | `true` | Install and upgrade CRDs |
| crds.keep | bool | `true` | Keep CRDs on chart uninstall |
| createAggregateRoles | bool | `true` | Create clusterroles that extend existing clusterroles to interact with argo-cd crds |
| emissary.images | list | `[]` | The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used. |
| extraObjects | list | `[]` | Array of extra K8s manifests to deploy |
| fullnameOverride | string | `nil` | String to fully override "argo-workflows.fullname" template |
| images.pullPolicy | string | `"Always"` | imagePullPolicy to apply to all containers |
| images.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry |
| images.tag | string | `""` | Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`. |
| kubeVersionOverride | string | `""` | Override the Kubernetes version, which is used to evaluate certain manifests |
| nameOverride | string | `nil` | String to partially override "argo-workflows.fullname" template |
| singleNamespace | bool | `false` | Restrict Argo to operate only in a single namespace (the namespace of the Helm release) by apply Roles and RoleBindings instead of the Cluster equivalents, and start workflow-controller with the --namespaced flag. Use it in clusters with strict access policy. |
### Workflow
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| workflow.namespace | string | `nil` | Deprecated; use controller.workflowNamespaces instead. |
| workflow.rbac.create | bool | `true` | Adds Role and RoleBinding for the above specified service account to be able to run workflows. A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below) |
| workflow.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| workflow.serviceAccount.create | bool | `false` | Specifies whether a service account should be created |
| workflow.serviceAccount.labels | object | `{}` | Labels applied to created service account |
| workflow.serviceAccount.name | string | `"argo-workflow"` | Service account which is used to run workflows |
| workflow.serviceAccount.pullSecrets | list | `[]` | Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets` |
### Workflow Controller
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| controller.affinity | object | `{}` | Assign custom [affinity] rules |
| controller.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates. |
| controller.columns | list | `[]` | Configure Argo Server to show custom [columns] |
| controller.deploymentAnnotations | object | `{}` | deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment |
| controller.extraArgs | list | `[]` | Extra arguments to be added to the controller |
| controller.extraContainers | list | `[]` | Extra containers to be added to the controller deployment |
| controller.extraEnv | list | `[]` | Extra environment variables to provide to the controller container |
| controller.extraInitContainers | list | `[]` | Enables init containers to be added to the controller deployment |
| controller.image.registry | string | `"quay.io"` | Registry to use for the controller |
| controller.image.repository | string | `"argoproj/workflow-controller"` | Registry to use for the controller |
| controller.image.tag | string | `""` | Image tag for the workflow controller. Defaults to `.Values.images.tag`. |
| controller.initialDelay | string | `nil` | Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224 |
| controller.instanceID.enabled | bool | `false` | Configures the controller to filter workflow submissions to only those which have a matching instanceID attribute. |
| controller.instanceID.explicitID | string | `""` | Use a custom instanceID |
| controller.instanceID.useReleaseName | bool | `false` | Use ReleaseName as instanceID |
| controller.kubeConfig | object | `{}` (See [values.yaml]) | Configure when workflow controller runs in a different k8s cluster with the workflow workloads, or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret. |
| controller.links | list | `[]` | Configure Argo Server to show custom [links] |
| controller.livenessProbe | object | See [values.yaml] | Configure liveness [probe] for the controller |
| controller.loadBalancerSourceRanges | list | `[]` | Source ranges to allow access to service from. Only applies to service type `LoadBalancer` |
| controller.logging.format | string | `"text"` | Set the logging format (one of: `text`, `json`) |
| controller.logging.globallevel | string | `"0"` | Set the glog logging level |
| controller.logging.level | string | `"info"` | Set the logging level (one of: `debug`, `info`, `warn`, `error`) |
| controller.metricsConfig.enabled | bool | `false` | Enables prometheus metrics server |
| controller.metricsConfig.ignoreErrors | bool | `false` | Flag that instructs prometheus to ignore metric emission errors. |
| controller.metricsConfig.metricRelabelings | list | `[]` | ServiceMonitor metric relabel configs to apply to samples before ingestion |
| controller.metricsConfig.metricsTTL | string | `""` | How often custom metrics are cleared from memory |
| controller.metricsConfig.path | string | `"/metrics"` | Path is the path where metrics are emitted. Must start with a "/". |
| controller.metricsConfig.port | int | `9090` | Port is the port where metrics are emitted |
| controller.metricsConfig.portName | string | `"metrics"` | Container metrics port name |
| controller.metricsConfig.relabelings | list | `[]` | ServiceMonitor relabel configs to apply to samples before scraping |
| controller.metricsConfig.secure | bool | `false` | Flag that use a self-signed cert for TLS |
| controller.metricsConfig.servicePort | int | `8080` | Service metrics port |
| controller.metricsConfig.servicePortName | string | `"metrics"` | Service metrics port name |
| controller.metricsConfig.targetLabels | list | `[]` | ServiceMonitor will add labels from the service to the Prometheus metric |
| controller.name | string | `"workflow-controller"` | Workflow controller name string |
| controller.namespaceParallelism | string | `nil` | Limits the maximum number of incomplete workflows in a namespace |
| controller.navColor | string | `""` | Set ui navigation bar background color |
| controller.nodeEvents.enabled | bool | `true` | Enable to emit events on node completion. |
| controller.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | [Node selector] |
| controller.parallelism | string | `nil` | parallelism dictates how many workflows can be running at the same time |
| controller.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the controller pods |
| controller.persistence | object | `{}` | enable persistence using postgres |
| controller.podAnnotations | object | `{}` | podAnnotations is an optional map of annotations to be applied to the controller Pods |
| controller.podGCDeleteDelayDuration | string | `5s` (Argo Workflows default) | The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately. |
| controller.podGCGracePeriodSeconds | string | `30` seconds (Kubernetes default) | Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately. |
| controller.podLabels | object | `{}` | Optional labels to add to the controller pods |
| controller.podSecurityContext | object | `{}` | SecurityContext to set on the controller pods |
| controller.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages. |
| controller.rbac.accessAllSecrets | bool | `false` | Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty. |
| controller.rbac.create | bool | `true` | Adds Role and RoleBinding for the controller. |
| controller.rbac.secretWhitelist | list | `[]` | Allows controller to get, list, and watch certain k8s secrets |
| controller.rbac.writeConfigMaps | bool | `false` | Allows controller to create and update ConfigMaps. Enables memoization feature |
| controller.replicas | int | `1` | The number of controller pods to run |
| controller.resourceRateLimit | object | `{}` | Globally limits the rate at which pods are created. This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of parallel nodes. |
| controller.resources | object | `{}` | Resource limits and requests for the controller |
| controller.retentionPolicy | object | `{}` | Workflow retention by number of workflows |
| controller.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true}` | the controller container's securityContext |
| controller.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| controller.serviceAccount.create | bool | `true` | Create a service account for the controller |
| controller.serviceAccount.labels | object | `{}` | Labels applied to created service account |
| controller.serviceAccount.name | string | `""` | Service account name |
| controller.serviceAnnotations | object | `{}` | Annotations to be applied to the controller Service |
| controller.serviceLabels | object | `{}` | Optional labels to add to the controller Service |
| controller.serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels |
| controller.serviceMonitor.enabled | bool | `false` | Enable a prometheus ServiceMonitor |
| controller.serviceMonitor.namespace | string | `""` | Prometheus ServiceMonitor namespace |
| controller.serviceType | string | `"ClusterIP"` | Service type of the controller Service |
| controller.telemetryConfig.enabled | bool | `false` | Enables prometheus telemetry server |
| controller.telemetryConfig.ignoreErrors | bool | `false` | Flag that instructs prometheus to ignore metric emission errors. |
| controller.telemetryConfig.metricsTTL | string | `""` | How often custom metrics are cleared from memory |
| controller.telemetryConfig.path | string | `"/telemetry"` | telemetry path |
| controller.telemetryConfig.port | int | `8081` | telemetry container port |
| controller.telemetryConfig.secure | bool | `false` | Flag that use a self-signed cert for TLS |
| controller.telemetryConfig.servicePort | int | `8081` | telemetry service port |
| controller.telemetryConfig.servicePortName | string | `"telemetry"` | telemetry service port name |
| controller.tolerations | list | `[]` | [Tolerations] for use with node taints |
| controller.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the workflow controller |
| controller.volumeMounts | list | `[]` | Additional volume mounts to the controller main container |
| controller.volumes | list | `[]` | Additional volumes to the controller pod |
| controller.workflowDefaults | object | `{}` | Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level. Only valid for 2.7+ |
| controller.workflowNamespaces | list | `["default"]` | Specify all namespaces where this workflow controller instance will manage workflows. This controls where the service account and RBAC resources will be created. Only valid when singleNamespace is false. |
| controller.workflowRestrictions | object | `{}` | Restricts the Workflows that the controller will process. Only valid for 2.9+ |
| controller.workflowWorkers | string | `nil` | Number of workflow workers |
### Workflow Main Container
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| mainContainer.env | list | `[]` | Adds environment variables for the Workflow main container |
| mainContainer.envFrom | list | `[]` | Adds reference environment variables for the Workflow main container |
| mainContainer.imagePullPolicy | string | `""` | imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`. |
| mainContainer.resources | object | `{}` | Resource limits and requests for the Workflow main container |
| mainContainer.securityContext | object | `{}` | sets security context for the Workflow main container |
### Workflow Executor
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| executor.args | list | `[]` | Passes arguments to the executor processes |
| executor.env | list | `[]` | Adds environment variables for the executor. |
| executor.image.pullPolicy | string | `""` | Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`. |
| executor.image.registry | string | `"quay.io"` | Registry to use for the Workflow Executors |
| executor.image.repository | string | `"argoproj/argoexec"` | Repository to use for the Workflow Executors |
| executor.image.tag | string | `""` | Image tag for the workflow executor. Defaults to `.Values.images.tag`. |
| executor.resources | object | `{}` | Resource limits and requests for the Workflow Executors |
| executor.securityContext | object | `{}` | sets security context for the executor container |
### Workflow Server
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| server.GKEbackendConfig.enabled | bool | `false` | Enable BackendConfig custom resource for Google Kubernetes Engine |
| server.GKEbackendConfig.spec | object | `{}` | [BackendConfigSpec] |
| server.GKEfrontendConfig.enabled | bool | `false` | Enable FrontConfig custom resource for Google Kubernetes Engine |
| server.GKEfrontendConfig.spec | object | `{}` | [FrontendConfigSpec] |
| server.GKEmanagedCertificate.domains | list | `["argoworkflows.example.com"]` | Domains for the Google Managed Certificate |
| server.GKEmanagedCertificate.enabled | bool | `false` | Enable ManagedCertificate custom resource for Google Kubernetes Engine. |
| server.affinity | object | `{}` | Assign custom [affinity] rules |
| server.autoscaling.behavior | object | `{}` | Configures the scaling behavior of the target in both Up and Down directions. This is only available on HPA apiVersion `autoscaling/v2beta2` and newer |
| server.autoscaling.enabled | bool | `false` | Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server |
| server.autoscaling.maxReplicas | int | `5` | Maximum number of replicas for the Argo Server [HPA] |
| server.autoscaling.minReplicas | int | `1` | Minimum number of replicas for the Argo Server [HPA] |
| server.autoscaling.targetCPUUtilizationPercentage | int | `50` | Average CPU utilization percentage for the Argo Server [HPA] |
| server.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the Argo Server [HPA] |
| server.baseHref | string | `"/"` | Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. |
| server.clusterWorkflowTemplates.enableEditing | bool | `true` | Give the server permissions to edit ClusterWorkflowTemplates. |
| server.clusterWorkflowTemplates.enabled | bool | `true` | Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates. |
| server.deploymentAnnotations | object | `{}` | optional map of annotations to be applied to the ui Deployment |
| server.enabled | bool | `true` | Deploy the Argo Server |
| server.extraArgs | list | `[]` | Extra arguments to provide to the Argo server binary, such as for disabling authentication. |
| server.extraContainers | list | `[]` | Extra containers to be added to the server deployment |
| server.extraEnv | list | `[]` | Extra environment variables to provide to the argo-server container |
| server.extraInitContainers | list | `[]` | Enables init containers to be added to the server deployment |
| server.image.registry | string | `"quay.io"` | Registry to use for the server |
| server.image.repository | string | `"argoproj/argocli"` | Repository to use for the server |
| server.image.tag | string | `""` | Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`. |
| server.ingress.annotations | object | `{}` | Additional ingress annotations |
| server.ingress.enabled | bool | `false` | Enable an ingress resource |
| server.ingress.extraPaths | list | `[]` | Additional ingress paths |
| server.ingress.hosts | list | `[]` | List of ingress hosts |
| server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource |
| server.ingress.labels | object | `{}` | Additional ingress labels |
| server.ingress.pathType | string | `"Prefix"` | Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific` |
| server.ingress.paths | list | `["/"]` | List of ingress paths |
| server.ingress.tls | list | `[]` | Ingress TLS configuration |
| server.loadBalancerIP | string | `""` | Static IP address to assign to loadBalancer service type `LoadBalancer` |
| server.loadBalancerSourceRanges | list | `[]` | Source ranges to allow access to service from. Only applies to service type `LoadBalancer` |
| server.logging.format | string | `"text"` | Set the logging format (one of: `text`, `json`) |
| server.logging.globallevel | string | `"0"` | Set the glog logging level |
| server.logging.level | string | `"info"` | Set the logging level (one of: `debug`, `info`, `warn`, `error`) |
| server.name | string | `"server"` | Server name string |
| server.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | [Node selector] |
| server.pdb.enabled | bool | `false` | Configure [Pod Disruption Budget] for the server pods |
| server.podAnnotations | object | `{}` | optional map of annotations to be applied to the ui Pods |
| server.podLabels | object | `{}` | Optional labels to add to the UI pods |
| server.podSecurityContext | object | `{}` | SecurityContext to set on the server pods |
| server.priorityClassName | string | `""` | Leverage a PriorityClass to ensure your pods survive resource shortages |
| server.rbac.create | bool | `true` | Adds Role and RoleBinding for the server. |
| server.replicas | int | `1` | The number of server pods to run |
| server.resources | object | `{}` | Resource limits and requests for the server |
| server.secure | bool | `false` | Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs. |
| server.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":false,"runAsNonRoot":true}` | Servers container-level security context |
| server.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
| server.serviceAccount.create | bool | `true` | Create a service account for the server |
| server.serviceAccount.labels | object | `{}` | Labels applied to created service account |
| server.serviceAccount.name | string | `""` | Service account name |
| server.serviceAnnotations | object | `{}` | Annotations to be applied to the UI Service |
| server.serviceLabels | object | `{}` | Optional labels to add to the UI Service |
| server.serviceNodePort | string | `nil` | Service node port |
| server.servicePort | int | `2746` | Service port for server |
| server.servicePortName | string | `""` | Service port name |
| server.serviceType | string | `"ClusterIP"` | Service type for server pods |
| server.sso.clientId.key | string | `"client-id"` | Key of secret to retrieve the app OIDC client ID |
| server.sso.clientId.name | string | `"argo-server-sso"` | Name of secret to retrieve the app OIDC client ID |
| server.sso.clientSecret.key | string | `"client-secret"` | Key of a secret to retrieve the app OIDC client secret |
| server.sso.clientSecret.name | string | `"argo-server-sso"` | Name of a secret to retrieve the app OIDC client secret |
| server.sso.customGroupClaimName | string | `""` | Override claim name for OIDC groups |
| server.sso.enabled | bool | `false` | Create SSO configuration |
| server.sso.insecureSkipVerify | bool | `false` | Skip TLS verification for the HTTP client |
| server.sso.issuer | string | `"https://accounts.google.com"` | The root URL of the OIDC identity provider |
| server.sso.issuerAlias | string | `""` | Alternate root URLs that can be included for some OIDC providers |
| server.sso.rbac.enabled | bool | `true` | Adds ServiceAccount Policy to server (Cluster)Role. |
| server.sso.rbac.secretWhitelist | list | `[]` | Whitelist to allow server to fetch Secrets |
| server.sso.redirectUrl | string | `"https://argo/oauth2/callback"` | |
| server.sso.scopes | list | `[]` | Scopes requested from the SSO ID provider |
| server.sso.sessionExpiry | string | `""` | Define how long your login is valid for (in hours) |
| server.sso.userInfoPath | string | `""` | Specify the user info endpoint that contains the groups claim |
| server.tolerations | list | `[]` | [Tolerations] for use with node taints |
| server.topologySpreadConstraints | list | `[]` | Assign custom [TopologySpreadConstraints] rules to the argo server |
| server.volumeMounts | list | `[]` | Additional volume mounts to the server main container. |
| server.volumes | list | `[]` | Additional volumes to the server pod. |
### Artifact Repository
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| artifactRepository.archiveLogs | bool | `false` | Archive the main container logs as an artifact |
| artifactRepository.azure | object | `{}` (See [values.yaml]) | Store artifact in Azure Blob Storage |
| artifactRepository.gcs | object | `{}` (See [values.yaml]) | Store artifact in a GCS object store |
| artifactRepository.s3 | object | See [values.yaml] | Store artifact in a S3-compliant object store |
| artifactRepositoryRef | object | `{}` (See [values.yaml]) | The section of [artifact repository ref](https://argoproj.github.io/argo-workflows/artifact-repository-ref/). Each map key is the name of configmap |
| customArtifactRepository | object | `{}` | The section of custom artifact repository. Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure) |
| useStaticCredentials | bool | `true` | Use static credentials for S3 (eg. when not using AWS IRSA) |
## Breaking changes from the deprecated `argo` chart
1. the `installCRD` value has been removed. CRDs are now only installed from the conventional crds/ directory
1. the CRDs were updated to `apiextensions.k8s.io/v1`
1. the container image registry/project/tag format was changed to be more in line with the more common
```yaml
image:
registry: quay.io
repository: argoproj/argocli
tag: v3.0.1
```
this also makes it easier for automatic update tooling (eg. renovate bot) to detect and update images.
1. switched to quay.io as the default registry for all images
1. removed any included usage of Minio
1. aligned the configuration of serviceAccounts with the argo-cd chart, ie: what used to be `server.createServiceAccount` is now `server.serviceAccount.create`
1. moved the field previously known as `telemetryServicePort` inside the `telemetryConfig` as `telemetryConfig.servicePort` - same for `metricsConfig`
[affinity]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
[BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
[FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
[links]: https://argoproj.github.io/argo-workflows/links/
[columns]: https://github.com/argoproj/argo-workflows/pull/10693
[Node selector]: https://kubernetes.io/docs/user-guide/node-selection/
[Pod Disruption Budget]: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
[probe]: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
[Tolerations]: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
[TopologySpreadConstraints]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
[values.yaml]: values.yaml
[changelog]: https://artifacthub.io/packages/helm/argo/argo-workflows?modal=changelog

38
helm/argo-workflows/override_values.yaml Normal file
View File

@@ -0,0 +1,38 @@
singleNamespace: true
# -- String to partially override "argo-workflowss.fullname" template
nameOverride: argo-workflows
# -- String to fully override "argo-workflowss.fullname" template
fullnameOverride: argo-workflows
workflow:
serviceAccount:
create: true
name: "argo-workflows"
rbac:
create: true
controller:
metricsConfig:
enabled: true
logging:
level: debug
rbac:
accessAllSecrets: true
writeConfigMaps: true
serviceType: NodePort
extraEnv:
- name: ARGO_EXECUTOR_PLUGINS
value: "true"
server:
serviceType: NodePort
serviceNodePort: 30800
secure: true
extraArgs:
- --auth-mode=server

7
helm/argo-workflows/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,7 @@
1. Get Argo Server external IP/domain by running:
kubectl --namespace {{ .Release.Namespace }} get services -o wide | grep {{ template "argo-workflows.server.fullname" . }}
2. Submit the hello-world workflow by running:
argo submit https://raw.githubusercontent.com/argoproj/argo-workflows/master/examples/hello-world.yaml --watch

181
helm/argo-workflows/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,181 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Create argo workflows server name and version as used by the chart label.
*/}}
{{- define "argo-workflows.server.fullname" -}}
{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create controller name and version as used by the chart label.
*/}}
{{- define "argo-workflows.controller.fullname" -}}
{{- printf "%s-%s" (include "argo-workflows.fullname" .) .Values.controller.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "argo-workflows.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "argo-workflows.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "argo-workflows.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create kubernetes friendly chart version label for the controller.
Examples:
image.tag = v3.4.4
output = v3.4.4
image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696
output = v3.4.4
*/}}
{{- define "argo-workflows.controller_chart_version_label" -}}
{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag) "") "" | trunc 63 | quote -}}
{{- end -}}
{{/*
Create kubernetes friendly chart version label for the server.
Examples:
image.tag = v3.4.4
output = v3.4.4
image.tag = v3.4.4@sha256:d06860f1394a94ac3ff8401126ef32ba28915aa6c3c982c7e607ea0b4dadb696
output = v3.4.4
*/}}
{{- define "argo-workflows.server_chart_version_label" -}}
{{- regexReplaceAll "[^a-zA-Z0-9-_.]+" (regexReplaceAll "@sha256:[a-f0-9]+" (default (include "argo-workflows.defaultTag" .) .Values.server.image.tag) "") "" | trunc 63 | quote -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "argo-workflows.labels" -}}
helm.sh/chart: {{ include "argo-workflows.chart" .context }}
{{ include "argo-workflows.selectorLabels" (dict "context" .context "component" .component "name" .name) }}
app.kubernetes.io/managed-by: {{ .context.Release.Service }}
app.kubernetes.io/part-of: argo-workflows
{{- end }}
{{/*
Selector labels
*/}}
{{- define "argo-workflows.selectorLabels" -}}
{{- if .name -}}
app.kubernetes.io/name: {{ include "argo-workflows.name" .context }}-{{ .name }}
{{ end -}}
app.kubernetes.io/instance: {{ .context.Release.Name }}
{{- if .component }}
app.kubernetes.io/component: {{ .component }}
{{- end }}
{{- end }}
{{/*
Create the name of the server service account to use
*/}}
{{- define "argo-workflows.serverServiceAccountName" -}}
{{- if .Values.server.serviceAccount.create -}}
{{ default (include "argo-workflows.server.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.server.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the controller service account to use
*/}}
{{- define "argo-workflows.controllerServiceAccountName" -}}
{{- if .Values.controller.serviceAccount.create -}}
{{ default (include "argo-workflows.controller.fullname" .) .Values.controller.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.controller.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress
*/}}
{{- define "argo-workflows.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" (include "argo-workflows.kubeVersion" $) -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" (include "argo-workflows.kubeVersion" $) -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "argo-workflows.kubeVersion" -}}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
{{- end -}}
{{/*
Return the default Argo Workflows app version
*/}}
{{- define "argo-workflows.defaultTag" -}}
{{- default .Chart.AppVersion .Values.images.tag }}
{{- end -}}
{{/*
Return full image name including or excluding registry based on existence
*/}}
{{- define "argo-workflows.image" -}}
{{- if and .image.registry .image.repository -}}
{{ .image.registry }}/{{ .image.repository }}
{{- else -}}
{{ .image.repository }}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for autoscaling
*/}}
{{- define "argo-workflows.apiVersion.autoscaling" -}}
{{- if .Values.apiVersionOverrides.autoscaling -}}
{{- print .Values.apiVersionOverrides.autoscaling -}}
{{- else if semverCompare "<1.23-0" (include "argo-workflows.kubeVersion" .) -}}
{{- print "autoscaling/v2beta1" -}}
{{- else -}}
{{- print "autoscaling/v2" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for GKE resources
*/}}
{{- define "argo-workflows.apiVersions.cloudgoogle" -}}
{{- if .Values.apiVersionOverrides.cloudgoogle -}}
{{- print .Values.apiVersionOverrides.cloudgoogle -}}
{{- else if .Capabilities.APIVersions.Has "cloud.google.com/v1" -}}
{{- print "cloud.google.com/v1" -}}
{{- else -}}
{{- print "cloud.google.com/v1beta1" -}}
{{- end -}}
{{- end -}}

19
helm/argo-workflows/templates/controller/artifact-repository-ref-cm.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- range $cm_name, $cm_val := .Values.artifactRepositoryRef }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $cm_name }}
namespace: {{ $.Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $cm_name) | nindent 4 }}
{{- with $cm_val.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
data:
{{- range $data_key, $data_val := (omit $cm_val "annotations") }}
{{- $data_key | nindent 2 }}: |
{{- toYaml $data_val | nindent 4 }}
{{- end }}
{{- end }}

91
helm/argo-workflows/templates/controller/workflow-aggregate-roles.yaml Normal file
View File

@@ -0,0 +1,91 @@
{{- if .Values.createAggregateRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.fullname" . }}-view
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.fullname" . }}-edit
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.fullname" . }}-admin
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workfloweventbindings
- workfloweventbindings/finalizers
- workflowtasksets
- workflowtasksets/finalizers
- workflowtemplates
- workflowtemplates/finalizers
- cronworkflows
- cronworkflows/finalizers
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
{{- end }}

220
helm/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml Normal file
View File

@@ -0,0 +1,220 @@
{{- if .Values.controller.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
{{- if .Values.singleNamespace }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- watch
- list
{{- if .Values.controller.rbac.writeConfigMaps }}
- create
- update
{{- end}}
- apiGroups:
- ""
resources:
- persistentvolumeclaims
- persistentvolumeclaims/finalizers
verbs:
- create
- update
- delete
- get
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
- workflowtasksets
- workflowtasksets/finalizers
- workflowartifactgctasks
verbs:
- get
- list
- watch
- update
- patch
- delete
- create
- apiGroups:
- argoproj.io
resources:
- workflowtemplates
- workflowtemplates/finalizers
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowtaskresults
- workflowtaskresults/finalizers
verbs:
- list
- watch
- deletecollection
- apiGroups:
- argoproj.io
resources:
- cronworkflows
- cronworkflows/finalizers
verbs:
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- apiGroups:
- "policy"
resources:
- poddisruptionbudgets
verbs:
- create
- get
- delete
{{- if .Values.controller.persistence }}
- apiGroups:
- ""
resources:
- secrets
resourceNames:
{{- if .Values.controller.persistence.postgresql }}
- {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
- {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
{{- end}}
{{- if .Values.controller.persistence.mysql }}
- {{ .Values.controller.persistence.mysql.userNameSecret.name }}
- {{ .Values.controller.persistence.mysql.passwordSecret.name }}
{{- end}}
verbs:
- get
{{- end}}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
resourceNames:
{{- if .Values.controller.instanceID.enabled }}
{{- if .Values.controller.instanceID.useReleaseName }}
- workflow-controller-{{ .Release.Name }}
- workflow-controller-lease-{{ .Release.Name }}
{{- else }}
- workflow-controller-{{ .Values.controller.instanceID.explicitID }}
- workflow-controller-lease-{{ .Values.controller.instanceID.explicitID }}
{{- end }}
{{- else }}
- workflow-controller
- workflow-controller-lease
{{- end }}
verbs:
- get
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
resourceNames:
{{/* for HTTP templates */}}
- argo-workflows-agent-ca-certificates
{{- with .Values.controller.rbac.secretWhitelist }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
resourceNames: {{- toYaml . | nindent 4 }}
{{- end }}
{{- if and (not .Values.controller.rbac.secretWhitelist) (.Values.controller.rbac.accessAllSecrets) }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
{{- end }}
{{- if .Values.controller.clusterWorkflowTemplates.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- clusterworkflowtemplates
- clusterworkflowtemplates/finalizers
verbs:
- get
- list
- watch
{{- end }}
{{- end }}

193
helm/argo-workflows/templates/controller/workflow-controller-config-map.yaml Normal file
View File

@@ -0,0 +1,193 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}-configmap
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" "cm") | nindent 4 }}
data:
config: |
{{- if .Values.controller.instanceID.enabled }}
{{- if .Values.controller.instanceID.useReleaseName }}
instanceID: {{ .Release.Name }}
{{- else }}
instanceID: {{ .Values.controller.instanceID.explicitID }}
{{- end }}
{{- end }}
{{- if .Values.controller.parallelism }}
parallelism: {{ .Values.controller.parallelism }}
{{- end }}
{{- if .Values.controller.resourceRateLimit }}
resourceRateLimit: {{ toYaml .Values.controller.resourceRateLimit | nindent 6 }}
{{- end }}
{{- with .Values.controller.namespaceParallelism }}
namespaceParallelism: {{ . }}
{{- end }}
{{- with .Values.controller.initialDelay }}
initialDelay: {{ . }}
{{- end }}
{{- if or .Values.mainContainer.resources .Values.mainContainer.env .Values.mainContainer.envFrom .Values.mainContainer.securityContext}}
mainContainer:
imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.mainContainer.imagePullPolicy }}
{{- with .Values.mainContainer.resources }}
resources: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mainContainer.env }}
env: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mainContainer.envFrom }}
envFrom: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.mainContainer.securityContext }}
securityContext: {{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if or .Values.executor.resources .Values.executor.env .Values.executor.args .Values.executor.securityContext}}
executor:
imagePullPolicy: {{ default (.Values.images.pullPolicy) .Values.executor.image.pullPolicy }}
{{- with .Values.executor.resources }}
resources: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.executor.args }}
args: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.executor.env }}
env: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.executor.securityContext }}
securityContext: {{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if or .Values.artifactRepository.s3 .Values.artifactRepository.gcs .Values.artifactRepository.azure .Values.customArtifactRepository }}
artifactRepository:
{{- if .Values.artifactRepository.archiveLogs }}
archiveLogs: {{ .Values.artifactRepository.archiveLogs }}
{{- end }}
{{- with .Values.artifactRepository.gcs }}
gcs: {{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.artifactRepository.azure }}
azure: {{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- if .Values.artifactRepository.s3 }}
s3:
{{- if .Values.useStaticCredentials }}
accessKeySecret:
key: {{ tpl .Values.artifactRepository.s3.accessKeySecret.key . }}
name: {{ tpl .Values.artifactRepository.s3.accessKeySecret.name . }}
secretKeySecret:
key: {{ tpl .Values.artifactRepository.s3.secretKeySecret.key . }}
name: {{ tpl .Values.artifactRepository.s3.secretKeySecret.name . }}
{{- end }}
bucket: {{ tpl (.Values.artifactRepository.s3.bucket | default "") . }}
endpoint: {{ tpl (.Values.artifactRepository.s3.endpoint | default "") . }}
insecure: {{ .Values.artifactRepository.s3.insecure }}
{{- if .Values.artifactRepository.s3.keyFormat }}
keyFormat: {{ .Values.artifactRepository.s3.keyFormat | quote }}
{{- end }}
{{- if .Values.artifactRepository.s3.region }}
region: {{ tpl .Values.artifactRepository.s3.region $ }}
{{- end }}
{{- if .Values.artifactRepository.s3.roleARN }}
roleARN: {{ .Values.artifactRepository.s3.roleARN }}
{{- end }}
{{- if .Values.artifactRepository.s3.useSDKCreds }}
useSDKCreds: {{ .Values.artifactRepository.s3.useSDKCreds }}
{{- end }}
{{- with .Values.artifactRepository.s3.encryptionOptions }}
encryptionOptions:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- end }}
{{- if .Values.customArtifactRepository }}
{{- toYaml .Values.customArtifactRepository | nindent 6 }}
{{- end }}
{{- end }}
{{- if .Values.controller.metricsConfig.enabled }}
metricsConfig:
enabled: {{ .Values.controller.metricsConfig.enabled }}
path: {{ .Values.controller.metricsConfig.path }}
port: {{ .Values.controller.metricsConfig.port }}
{{- if .Values.controller.metricsConfig.metricsTTL }}
metricsTTL: {{ .Values.controller.metricsConfig.metricsTTL }}
{{- end }}
ignoreErrors: {{ .Values.controller.metricsConfig.ignoreErrors }}
secure: {{ .Values.controller.metricsConfig.secure }}
{{- end }}
{{- if .Values.controller.telemetryConfig.enabled }}
telemetryConfig:
enabled: {{ .Values.controller.telemetryConfig.enabled }}
path: {{ .Values.controller.telemetryConfig.path }}
port: {{ .Values.controller.telemetryConfig.port }}
{{- if .Values.controller.telemetryConfig.metricsTTL }}
metricsTTL: {{ .Values.controller.telemetryConfig.metricsTTL }}
{{- end }}
ignoreErrors: {{ .Values.controller.telemetryConfig.ignoreErrors }}
secure: {{ .Values.controller.telemetryConfig.secure }}
{{- end }}
{{- if .Values.controller.persistence }}
persistence:
{{ toYaml .Values.controller.persistence | indent 6 }}{{- end }}
{{- if .Values.controller.workflowDefaults }}
workflowDefaults:
{{ toYaml .Values.controller.workflowDefaults | indent 6 }}{{- end }}
{{- if .Values.server.sso.enabled }}
sso:
issuer: {{ .Values.server.sso.issuer }}
clientId:
name: {{ .Values.server.sso.clientId.name }}
key: {{ .Values.server.sso.clientId.key }}
clientSecret:
name: {{ .Values.server.sso.clientSecret.name }}
key: {{ .Values.server.sso.clientSecret.key }}
redirectUrl: {{ .Values.server.sso.redirectUrl }}
rbac:
enabled: {{ .Values.server.sso.rbac.enabled }}
{{- with .Values.server.sso.scopes }}
scopes: {{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.sso.issuerAlias }}
issuerAlias: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.sessionExpiry }}
sessionExpiry: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.customGroupClaimName }}
customGroupClaimName: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.userInfoPath }}
userInfoPath: {{ toYaml . }}
{{- end }}
{{- with .Values.server.sso.insecureSkipVerify }}
insecureSkipVerify: {{ toYaml . }}
{{- end }}
{{- end }}
{{- with .Values.controller.workflowRestrictions }}
workflowRestrictions: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.links }}
links: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.columns }}
columns: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.navColor }}
navColor: {{ . }}
{{- end }}
{{- with .Values.controller.retentionPolicy }}
retentionPolicy: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.emissary.images }}
images: {{- toYaml . | nindent 6 }}
{{- end }}
nodeEvents:
enabled: {{ .Values.controller.nodeEvents.enabled }}
{{- with .Values.controller.kubeConfig }}
kubeConfig: {{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.podGCGracePeriodSeconds }}
podGCGracePeriodSeconds: {{ . }}
{{- end }}
{{- with .Values.controller.podGCDeleteDelayDuration }}
podGCDeleteDelayDuration: {{ . }}
{{- end }}

45
helm/argo-workflows/templates/controller/workflow-controller-crb.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if .Values.controller.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: RoleBinding
{{ else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
{{- if .Values.singleNamespace }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if .Values.singleNamespace }}
kind: Role
{{ else }}
kind: ClusterRole
{{- end }}
name: {{ template "argo-workflows.controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-workflows.controllerServiceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.controller.clusterWorkflowTemplates.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "argo-workflows.controller.fullname" . }}-cluster-template
subjects:
- kind: ServiceAccount
name: {{ template "argo-workflows.controllerServiceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
{{- end }}

20
helm/argo-workflows/templates/controller/workflow-controller-deployment-pdb.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if .Values.controller.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
spec:
{{- if .Values.controller.pdb.minAvailable }}
minAvailable: {{ .Values.controller.pdb.minAvailable }}
{{- else if .Values.controller.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.controller.pdb.maxUnavailable }}
{{- else }}
minAvailable: 0
{{- end }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
{{- end }}

129
helm/argo-workflows/templates/controller/workflow-controller-deployment.yaml Normal file
View File

@@ -0,0 +1,129 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
{{- with .Values.controller.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.controller.replicas }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
template:
metadata:
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
app.kubernetes.io/version: {{ include "argo-workflows.controller_chart_version_label" . }}
{{- with.Values.controller.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "argo-workflows.controllerServiceAccountName" . }}
{{- with .Values.controller.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.extraInitContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: controller
image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.controller.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag }}"
imagePullPolicy: {{ .Values.images.pullPolicy }}
command: [ "workflow-controller" ]
args:
- "--configmap"
- "{{ template "argo-workflows.controller.fullname" . }}-configmap"
- "--executor-image"
- "{{- include "argo-workflows.image" (dict "context" . "image" .Values.executor.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.executor.image.tag }}"
- "--loglevel"
- "{{ .Values.controller.logging.level }}"
- "--gloglevel"
- "{{ .Values.controller.logging.globallevel }}"
- "--log-format"
- "{{ .Values.controller.logging.format }}"
{{- if .Values.singleNamespace }}
- "--namespaced"
{{- end }}
{{- with .Values.controller.workflowWorkers }}
- "--workflow-workers"
- {{ . | quote }}
{{- end }}
{{- with .Values.controller.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
securityContext:
{{- toYaml .Values.controller.securityContext | nindent 12 }}
env:
- name: ARGO_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: LEADER_ELECTION_IDENTITY
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
{{- with .Values.controller.extraEnv }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.controller.resources | nindent 12 }}
{{- with .Values.controller.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: {{ .Values.controller.metricsConfig.portName }}
containerPort: {{ .Values.controller.metricsConfig.port }}
- containerPort: 6060
livenessProbe: {{ .Values.controller.livenessProbe | toYaml | nindent 12 }}
{{- with .Values.controller.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.images.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.volumes }}
volumes:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.controller.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.controller.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}

16
helm/argo-workflows/templates/controller/workflow-controller-sa.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if .Values.controller.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "argo-workflows.controllerServiceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- with .Values.controller.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{ with .Values.controller.serviceAccount.annotations }}
annotations:
{{- toYaml .| nindent 4 }}
{{- end }}
{{- end }}

39
helm/argo-workflows/templates/controller/workflow-controller-service.yaml Normal file
View File

@@ -0,0 +1,39 @@
{{- if or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
app.kubernetes.io/version: {{ default (include "argo-workflows.defaultTag" .) .Values.controller.image.tag | trunc 63 | quote }}
{{- with .Values.controller.serviceLabels }}
{{ toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.controller.serviceAnnotations }}
annotations:
{{- toYaml . | nindent 4}}
{{- end }}
spec:
ports:
{{- if .Values.controller.metricsConfig.enabled }}
- name: {{ .Values.controller.metricsConfig.servicePortName }}
port: {{ .Values.controller.metricsConfig.servicePort }}
protocol: TCP
targetPort: {{ .Values.controller.metricsConfig.port }}
{{- end }}
{{- if .Values.controller.telemetryConfig.enabled }}
- name: {{ .Values.controller.telemetryConfig.servicePortName }}
port: {{ .Values.controller.telemetryConfig.servicePort }}
protocol: TCP
targetPort: {{ .Values.controller.telemetryConfig.port }}
{{- end }}
selector:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 4 }}
sessionAffinity: None
type: {{ .Values.controller.serviceType }}
{{- if and (eq .Values.controller.serviceType "LoadBalancer") .Values.controller.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml .Values.controller.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end -}}

50
helm/argo-workflows/templates/controller/workflow-controller-servicemonitor.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if and (or .Values.controller.metricsConfig.enabled .Values.controller.telemetryConfig.enabled) .Values.controller.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "argo-workflows.controller.fullname" . }}
namespace: {{ default .Release.Namespace .Values.controller.serviceMonitor.namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- with .Values.controller.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
{{- if .Values.controller.metricsConfig.enabled }}
- port: {{ .Values.controller.metricsConfig.servicePortName }}
path: {{ .Values.controller.metricsConfig.path }}
interval: 30s
{{- with .Values.controller.metricsConfig.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.metricsConfig.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- if .Values.controller.telemetryConfig.enabled }}
- port: telemetry
path: {{ .Values.controller.telemetryConfig.path }}
interval: 30s
{{- with .Values.controller.metricsConfig.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.metricsConfig.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
{{- with .Values.controller.metricsConfig.targetLabels }}
targetLabels:
{{- toYaml . | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
{{- end }}

24
helm/argo-workflows/templates/controller/workflow-rb.yaml Normal file
View File

@@ -0,0 +1,24 @@
{{- if .Values.workflow.rbac.create -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "argo-workflows.fullname" $ }}-workflow
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "argo-workflows.fullname" $ }}-workflow
subjects:
- kind: ServiceAccount
name: {{ $.Values.workflow.serviceAccount.name }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- end }}
{{- end }}

58
helm/argo-workflows/templates/controller/workflow-role.yaml Normal file
View File

@@ -0,0 +1,58 @@
{{- if .Values.workflow.rbac.create -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-workflows.fullname" $ }}-workflow
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- patch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- argoproj.io
resources:
- workflowtaskresults
verbs:
- create
- apiGroups:
- argoproj.io
resources:
- workflowtasksets
- workflowartifactgctasks
verbs:
- list
- watch
- apiGroups:
- argoproj.io
resources:
- workflowtasksets/status
- workflowartifactgctasks/status
verbs:
- patch
{{- end }}
{{- end }}

25
helm/argo-workflows/templates/controller/workflow-sa.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{- if .Values.workflow.serviceAccount.create -}}
{{- range $namespace := or .Values.singleNamespace false | ternary (list "") (append .Values.controller.workflowNamespaces (coalesce .Values.workflow.namespace .Release.Namespace) | uniq) }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $.Values.workflow.serviceAccount.name }}
labels:
{{- include "argo-workflows.labels" (dict "context" $ "component" $.Values.controller.name "name" $.Values.controller.name) | nindent 4 }}
{{- with $.Values.workflow.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $namespace }}
namespace: {{ . }}
{{- end }}
{{- with $.Values.workflow.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with $.Values.workflow.serviceAccount.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end }}

47
helm/argo-workflows/templates/crds/argoproj.io_clusterworkflowtemplates.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.crds.install }}
{{- if or (.Values.server.clusterWorkflowTemplates.enabled) (.Values.controller.clusterWorkflowTemplates.enabled) }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterworkflowtemplates.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: ClusterWorkflowTemplate
listKind: ClusterWorkflowTemplateList
plural: clusterworkflowtemplates
shortNames:
- clusterwftmpl
- cwft
singular: clusterworkflowtemplate
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
{{- end }}
{{- end }}

49
helm/argo-workflows/templates/crds/argoproj.io_cronworkflows.yaml Normal file
View File

@@ -0,0 +1,49 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: cronworkflows.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: CronWorkflow
listKind: CronWorkflowList
plural: cronworkflows
shortNames:
- cwf
- cronwf
singular: cronworkflow
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
{{- end }}

50
helm/argo-workflows/templates/crds/argoproj.io_workflowartifactgctasks.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflowartifactgctasks.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowArtifactGCTask
listKind: WorkflowArtifactGCTaskList
plural: workflowartifactgctasks
shortNames:
- wfat
singular: workflowartifactgctask
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

44
helm/argo-workflows/templates/crds/argoproj.io_workfloweventbindings.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workfloweventbindings.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowEventBinding
listKind: WorkflowEventBindingList
plural: workfloweventbindings
shortNames:
- wfeb
singular: workfloweventbinding
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
{{- end }}

64
helm/argo-workflows/templates/crds/argoproj.io_workflows.yaml Normal file
View File

@@ -0,0 +1,64 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflows.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: Workflow
listKind: WorkflowList
plural: workflows
shortNames:
- wf
singular: workflow
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Status of the workflow
jsonPath: .status.phase
name: Status
type: string
- description: When the workflow was started
format: date-time
jsonPath: .status.startedAt
name: Age
type: date
- description: Human readable message indicating details about why the workflow
is in this condition.
jsonPath: .status.message
name: Message
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
subresources: {}
{{- end }}

593
helm/argo-workflows/templates/crds/argoproj.io_workflowtaskresults.yaml Normal file
View File

@@ -0,0 +1,593 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflowtaskresults.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowTaskResult
listKind: WorkflowTaskResultList
plural: workflowtaskresults
singular: workflowtaskresult
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
message:
type: string
metadata:
type: object
outputs:
properties:
artifacts:
items:
properties:
archive:
properties:
none:
type: object
tar:
properties:
compressionLevel:
format: int32
type: integer
type: object
zip:
type: object
type: object
archiveLogs:
type: boolean
artifactGC:
properties:
podMetadata:
properties:
annotations:
additionalProperties:
type: string
type: object
labels:
additionalProperties:
type: string
type: object
type: object
serviceAccountName:
type: string
strategy:
enum:
- ""
- OnWorkflowCompletion
- OnWorkflowDeletion
- Never
type: string
type: object
artifactory:
properties:
passwordSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
url:
type: string
usernameSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
required:
- url
type: object
azure:
properties:
accountKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
blob:
type: string
container:
type: string
endpoint:
type: string
useSDKCreds:
type: boolean
required:
- blob
- container
- endpoint
type: object
deleted:
type: boolean
from:
type: string
fromExpression:
type: string
gcs:
properties:
bucket:
type: string
key:
type: string
serviceAccountKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
required:
- key
type: object
git:
properties:
branch:
type: string
depth:
format: int64
type: integer
disableSubmodules:
type: boolean
fetch:
items:
type: string
type: array
insecureIgnoreHostKey:
type: boolean
passwordSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
repo:
type: string
revision:
type: string
singleBranch:
type: boolean
sshPrivateKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
usernameSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
required:
- repo
type: object
globalName:
type: string
hdfs:
properties:
addresses:
items:
type: string
type: array
force:
type: boolean
hdfsUser:
type: string
krbCCacheSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
krbConfigConfigMap:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
krbKeytabSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
krbRealm:
type: string
krbServicePrincipalName:
type: string
krbUsername:
type: string
path:
type: string
required:
- path
type: object
http:
properties:
auth:
properties:
basicAuth:
properties:
passwordSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
usernameSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
clientCert:
properties:
clientCertSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
clientKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
oauth2:
properties:
clientIDSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
clientSecretSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
endpointParams:
items:
properties:
key:
type: string
value:
type: string
required:
- key
type: object
type: array
scopes:
items:
type: string
type: array
tokenURLSecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
type: object
headers:
items:
properties:
name:
type: string
value:
type: string
required:
- name
- value
type: object
type: array
url:
type: string
required:
- url
type: object
mode:
format: int32
type: integer
name:
type: string
optional:
type: boolean
oss:
properties:
accessKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
bucket:
type: string
createBucketIfNotPresent:
type: boolean
endpoint:
type: string
key:
type: string
lifecycleRule:
properties:
markDeletionAfterDays:
format: int32
type: integer
markInfrequentAccessAfterDays:
format: int32
type: integer
type: object
secretKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
securityToken:
type: string
required:
- key
type: object
path:
type: string
raw:
properties:
data:
type: string
required:
- data
type: object
recurseMode:
type: boolean
s3:
properties:
accessKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
bucket:
type: string
createBucketIfNotPresent:
properties:
objectLocking:
type: boolean
type: object
encryptionOptions:
properties:
enableEncryption:
type: boolean
kmsEncryptionContext:
type: string
kmsKeyId:
type: string
serverSideCustomerKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
type: object
endpoint:
type: string
insecure:
type: boolean
key:
type: string
region:
type: string
roleARN:
type: string
secretKeySecret:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
useSDKCreds:
type: boolean
type: object
subPath:
type: string
required:
- name
type: object
type: array
exitCode:
type: string
parameters:
items:
properties:
default:
type: string
description:
type: string
enum:
items:
type: string
type: array
globalName:
type: string
name:
type: string
value:
type: string
valueFrom:
properties:
configMapKeyRef:
properties:
key:
type: string
name:
type: string
optional:
type: boolean
required:
- key
type: object
default:
type: string
event:
type: string
expression:
type: string
jqFilter:
type: string
jsonPath:
type: string
parameter:
type: string
path:
type: string
supplied:
type: object
type: object
required:
- name
type: object
type: array
result:
type: string
type: object
phase:
type: string
progress:
type: string
required:
- metadata
type: object
served: true
storage: true
{{- end }}

50
helm/argo-workflows/templates/crds/argoproj.io_workflowtasksets.yaml Normal file
View File

@@ -0,0 +1,50 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflowtasksets.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowTaskSet
listKind: WorkflowTaskSetList
plural: workflowtasksets
shortNames:
- wfts
singular: workflowtaskset
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
status:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}
{{- end }}

44
helm/argo-workflows/templates/crds/argoproj.io_workflowtemplates.yaml Normal file
View File

@@ -0,0 +1,44 @@
{{- if .Values.crds.install }}
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: workflowtemplates.argoproj.io
annotations:
{{- if .Values.crds.keep }}
"helm.sh/resource-policy": keep
{{- end }}
{{- with .Values.crds.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
group: argoproj.io
names:
kind: WorkflowTemplate
listKind: WorkflowTemplateList
plural: workflowtemplates
shortNames:
- wftmpl
singular: workflowtemplate
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
type: object
x-kubernetes-map-type: atomic
x-kubernetes-preserve-unknown-fields: true
required:
- metadata
- spec
type: object
served: true
storage: true
{{- end }}

8
helm/argo-workflows/templates/extra-manifests.yaml Normal file
View File

@@ -0,0 +1,8 @@
{{ range .Values.extraObjects }}
---
{{- if typeIs "string" . }}
{{- tpl . $ }}
{{- else }}
{{- tpl (toYaml .) $ }}
{{- end }}
{{ end }}

11
helm/argo-workflows/templates/server/gke/backendconfig.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.server.GKEbackendConfig.enabled }}
apiVersion: {{ include "argo-workflows.apiVersions.cloudgoogle" . }}
kind: BackendConfig
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
{{- toYaml .Values.server.GKEbackendConfig.spec | nindent 2 }}
{{- end }}

11
helm/argo-workflows/templates/server/gke/frontendconfig.yaml Normal file
View File

@@ -0,0 +1,11 @@
{{- if .Values.server.GKEfrontendConfig.enabled }}
apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
{{- toYaml .Values.server.GKEfrontendConfig.spec | nindent 2 }}
{{- end }}

12
helm/argo-workflows/templates/server/gke/managedcertificate.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.server.GKEmanagedCertificate.enabled }}
apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
spec:
domains:
{{- with .Values.server.GKEmanagedCertificate.domains }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

145
helm/argo-workflows/templates/server/server-cluster-roles.yaml Normal file
View File

@@ -0,0 +1,145 @@
{{- if and .Values.server.enabled .Values.server.rbac.create}}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: Role
{{- else }}
kind: ClusterRole
{{- end }}
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
{{- if .Values.singleNamespace }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- events
verbs:
- get
- watch
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- delete
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
{{- if .Values.server.sso.enabled }}
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- sso
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
{{- if .Values.server.sso.rbac.enabled }}
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- list
- watch
{{- end }}
{{- end }}
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
{{- if and .Values.server.sso.enabled .Values.server.sso.rbac.enabled }}
{{- with .Values.server.sso.rbac.secretWhitelist }}
resourceNames: {{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
- apiGroups:
- ""
resources:
- events
verbs:
- watch
- create
- patch
{{- if .Values.controller.persistence }}
- apiGroups:
- ""
resources:
- secrets
resourceNames:
{{- with .Values.controller.persistence.postgresql }}
- {{ .userNameSecret.name }}
- {{ .passwordSecret.name }}
{{- end}}
{{- with .Values.controller.persistence.mysql }}
- {{ .userNameSecret.name }}
- {{ .passwordSecret.name }}
{{- end}}
verbs:
- get
{{- end}}
- apiGroups:
- argoproj.io
resources:
- eventsources
- sensors
- workflows
- workfloweventbindings
- workflowtemplates
- cronworkflows
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
{{- if .Values.server.clusterWorkflowTemplates.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "argo-workflows.server.fullname" . }}-cluster-template
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- clusterworkflowtemplates
verbs:
- get
- list
- watch
{{- if .Values.server.clusterWorkflowTemplates.enableEditing }}
- create
- update
- patch
- delete
{{- end }}
{{- end }}
{{- end }}

45
helm/argo-workflows/templates/server/server-crb.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if and .Values.server.enabled .Values.server.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
{{- if .Values.singleNamespace }}
kind: RoleBinding
{{ else }}
kind: ClusterRoleBinding
{{- end }}
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
{{- if .Values.singleNamespace }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
{{- if .Values.singleNamespace }}
kind: Role
{{ else }}
kind: ClusterRole
{{- end }}
name: {{ template "argo-workflows.server.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-workflows.serverServiceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.server.clusterWorkflowTemplates.enabled }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "argo-workflows.server.fullname" . }}-cluster-template
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "argo-workflows.server.fullname" . }}-cluster-template
subjects:
- kind: ServiceAccount
name: {{ template "argo-workflows.serverServiceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end -}}
{{- end -}}

45
helm/argo-workflows/templates/server/server-deployment-hpa.yaml Normal file
View File

@@ -0,0 +1,45 @@
{{- if and .Values.server.enabled .Values.server.autoscaling.enabled }}
apiVersion: {{ include "argo-workflows.apiVersion.autoscaling" . }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ template "argo-workflows.server.fullname" . }}
minReplicas: {{ .Values.server.autoscaling.minReplicas }}
maxReplicas: {{ .Values.server.autoscaling.maxReplicas }}
metrics:
{{- with .Values.server.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
{{- if eq (include "argo-workflows.apiVersion.autoscaling" $) "autoscaling/v2beta1" }}
targetAverageUtilization: {{ . }}
{{- else }}
target:
averageUtilization: {{ . }}
type: Utilization
{{- end }}
{{- end }}
{{- with .Values.server.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
{{- if eq (include "argo-workflows.apiVersion.autoscaling" $) "autoscaling/v2beta1" }}
targetAverageUtilization: {{ . }}
{{- else }}
target:
averageUtilization: {{ . }}
type: Utilization
{{- end }}
{{- end }}
{{- with .Values.server.autoscaling.behavior }}
behavior:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

20
helm/argo-workflows/templates/server/server-deployment-pdb.yaml Normal file
View File

@@ -0,0 +1,20 @@
{{- if and .Values.server.enabled .Values.server.pdb.enabled -}}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
spec:
{{- if .Values.server.pdb.minAvailable }}
minAvailable: {{ .Values.server.pdb.minAvailable }}
{{- else if .Values.server.pdb.maxUnavailable }}
maxUnavailable: {{ .Values.server.pdb.maxUnavailable }}
{{- else }}
minAvailable: 0
{{- end }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
{{- end -}}

139
helm/argo-workflows/templates/server/server-deployment.yaml Normal file
View File

@@ -0,0 +1,139 @@
{{- if .Values.server.enabled -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
{{- with .Values.server.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.server.autoscaling.enabled }}
replicas: {{ .Values.server.replicas }}
{{- end }}
selector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 6 }}
template:
metadata:
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 8 }}
app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
{{- with .Values.server.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
serviceAccountName: {{ template "argo-workflows.serverServiceAccountName" . }}
{{- with .Values.server.podSecurityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.extraInitContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
containers:
- name: argo-server
image: "{{- include "argo-workflows.image" (dict "context" . "image" .Values.server.image) }}:{{ default (include "argo-workflows.defaultTag" .) .Values.server.image.tag }}"
imagePullPolicy: {{ .Values.images.pullPolicy }}
securityContext:
{{- toYaml .Values.server.securityContext | nindent 12 }}
args:
- server
- --configmap={{ template "argo-workflows.controller.fullname" . }}-configmap
{{- with .Values.server.extraArgs }}
{{- toYaml . | nindent 10 }}
{{- end }}
- "--secure={{ .Values.server.secure }}"
{{- if .Values.singleNamespace }}
- "--namespaced"
{{- end }}
- "--loglevel"
- "{{ .Values.server.logging.level }}"
- "--gloglevel"
- "{{ .Values.server.logging.globallevel }}"
- "--log-format"
- "{{ .Values.server.logging.format }}"
ports:
- name: web
containerPort: 2746
readinessProbe:
httpGet:
path: /
port: 2746
{{- if .Values.server.secure }}
scheme: HTTPS
{{- else }}
scheme: HTTP
{{- end }}
initialDelaySeconds: 10
periodSeconds: 20
env:
- name: IN_CLUSTER
value: "true"
- name: ARGO_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: BASE_HREF
value: {{ .Values.server.baseHref | quote }}
{{- with .Values.server.extraEnv }}
{{- toYaml . | nindent 12 }}
{{- end }}
resources:
{{- toYaml .Values.server.resources | nindent 12 }}
volumeMounts:
- name: tmp
mountPath: /tmp
{{- with .Values.server.volumeMounts }}
{{- toYaml . | nindent 10}}
{{- end }}
{{- with .Values.server.extraContainers }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.images.pullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: tmp
emptyDir: {}
{{- with .Values.server.volumes }}
{{- toYaml . | nindent 6}}
{{- end }}
{{- with .Values.server.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.server.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-workflows.selectorLabels" (dict "context" $ "name" $.Values.server.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.server.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- end -}}

90
helm/argo-workflows/templates/server/server-ingress.yaml Normal file
View File

@@ -0,0 +1,90 @@
{{- if .Values.server.ingress.enabled -}}
{{- $serviceName := include "argo-workflows.server.fullname" . -}}
{{- $servicePort := .Values.server.servicePort -}}
{{- $paths := .Values.server.ingress.paths -}}
{{- $extraPaths := .Values.server.ingress.extraPaths -}}
{{- $pathType := .Values.server.ingress.pathType -}}
apiVersion: {{ include "argo-workflows.ingress.apiVersion" . }}
kind: Ingress
metadata:
{{- if .Values.server.ingress.annotations }}
annotations:
{{- range $key, $value := .Values.server.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- if .Values.server.ingress.labels }}
{{- toYaml .Values.server.ingress.labels | nindent 4 }}
{{- end }}
spec:
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
{{- with .Values.server.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
{{- end }}
rules:
{{- if .Values.server.ingress.hosts }}
{{- range $host := .Values.server.ingress.hosts }}
- host: {{ $host }}
http:
paths:
{{- if $extraPaths }}
{{- toYaml $extraPaths | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
pathType: {{ $pathType }}
{{- end }}
backend:
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
service:
name: {{ $serviceName }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- else }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- else }}
- http:
paths:
{{- if $extraPaths }}
{{- toYaml $extraPaths | nindent 10 }}
{{- end }}
{{- range $p := $paths }}
- path: {{ $p }}
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
pathType: {{ $pathType }}
{{- end }}
backend:
{{- if eq (include "argo-workflows.ingress.apiVersion" $) "networking.k8s.io/v1" }}
service:
name: {{ $serviceName }}
port:
{{- if kindIs "float64" $servicePort }}
number: {{ $servicePort }}
{{- else }}
name: {{ $servicePort }}
{{- end }}
{{- else }}
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- end -}}
{{- end -}}
{{- if .Values.server.ingress.tls }}
tls:
{{- toYaml .Values.server.ingress.tls | nindent 4 }}
{{- end -}}
{{- end -}}

16
helm/argo-workflows/templates/server/server-sa.yaml Normal file
View File

@@ -0,0 +1,16 @@
{{- if and .Values.server.enabled .Values.server.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "argo-workflows.serverServiceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
{{- with .Values.server.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

35
helm/argo-workflows/templates/server/server-service.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if .Values.server.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: {{ template "argo-workflows.server.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{- include "argo-workflows.labels" (dict "context" . "component" .Values.server.name "name" .Values.server.name) | nindent 4 }}
app.kubernetes.io/version: {{ include "argo-workflows.server_chart_version_label" . }}
{{- with .Values.server.serviceAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ports:
- port: {{ .Values.server.servicePort }}
{{- with .Values.server.servicePortName }}
name: {{ . }}
{{- end }}
targetPort: 2746
{{- if and (eq .Values.server.serviceType "NodePort") .Values.server.serviceNodePort }}
nodePort: {{ .Values.server.serviceNodePort }}
{{- end }}
selector:
{{- include "argo-workflows.selectorLabels" (dict "context" . "name" .Values.server.name) | nindent 4 }}
sessionAffinity: None
type: {{ .Values.server.serviceType }}
{{- if and (eq .Values.server.serviceType "LoadBalancer") .Values.server.loadBalancerIP }}
loadBalancerIP: {{ .Values.server.loadBalancerIP | quote }}
{{- end }}
{{- if and (eq .Values.server.serviceType "LoadBalancer") .Values.server.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- toYaml .Values.server.loadBalancerSourceRanges | nindent 4 }}
{{- end }}
{{- end -}}

841
helm/argo-workflows/values.yaml Normal file
View File

@@ -0,0 +1,841 @@
images:
# -- Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`.
tag: ""
# -- imagePullPolicy to apply to all containers
pullPolicy: Always
# -- Secrets with credentials to pull images from a private registry
pullSecrets: []
# - name: argo-pull-secret
## Custom resource configuration
crds:
# -- Install and upgrade CRDs
install: true
# -- Keep CRDs on chart uninstall
keep: true
# -- Annotations to be added to all CRDs
annotations: {}
# -- Create clusterroles that extend existing clusterroles to interact with argo-cd crds
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
createAggregateRoles: true
# -- String to partially override "argo-workflows.fullname" template
nameOverride:
# -- String to fully override "argo-workflows.fullname" template
fullnameOverride:
# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""
# Override APIVersions
apiVersionOverrides:
# -- String to override apiVersion of autoscaling rendered by this helm chart
autoscaling: "" # autoscaling/v2
# -- String to override apiVersion of GKE resources rendered by this helm chart
cloudgoogle: "" # cloud.google.com/v1
# -- Restrict Argo to operate only in a single namespace (the namespace of the
# Helm release) by apply Roles and RoleBindings instead of the Cluster
# equivalents, and start workflow-controller with the --namespaced flag. Use it
# in clusters with strict access policy.
singleNamespace: false
workflow:
# -- Deprecated; use controller.workflowNamespaces instead.
namespace:
serviceAccount:
# -- Specifies whether a service account should be created
create: false
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- Service account which is used to run workflows
name: "argo-workflow"
# -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
pullSecrets: []
rbac:
# -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
# A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
create: true
controller:
image:
# -- Registry to use for the controller
registry: quay.io
# -- Registry to use for the controller
repository: argoproj/workflow-controller
# -- Image tag for the workflow controller. Defaults to `.Values.images.tag`.
tag: ""
# -- parallelism dictates how many workflows can be running at the same time
parallelism:
# -- Globally limits the rate at which pods are created.
# This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of
# parallel nodes.
resourceRateLimit: {}
# limit: 10
# burst: 1
rbac:
# -- Adds Role and RoleBinding for the controller.
create: true
# -- Allows controller to get, list, and watch certain k8s secrets
secretWhitelist: []
# -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
accessAllSecrets: false
# -- Allows controller to create and update ConfigMaps. Enables memoization feature
writeConfigMaps: false
# -- Limits the maximum number of incomplete workflows in a namespace
namespaceParallelism:
# -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224
initialDelay:
# -- deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment
deploymentAnnotations: {}
# -- podAnnotations is an optional map of annotations to be applied to the controller Pods
podAnnotations: {}
# -- Optional labels to add to the controller pods
podLabels: {}
# -- SecurityContext to set on the controller pods
podSecurityContext: {}
# podPortName: http
metricsConfig:
# -- Enables prometheus metrics server
enabled: false
# -- Path is the path where metrics are emitted. Must start with a "/".
path: /metrics
# -- Port is the port where metrics are emitted
port: 9090
# -- How often custom metrics are cleared from memory
metricsTTL: ""
# -- Flag that instructs prometheus to ignore metric emission errors.
ignoreErrors: false
# -- Flag that use a self-signed cert for TLS
secure: false
# -- Container metrics port name
portName: metrics
# -- Service metrics port
servicePort: 8080
# -- Service metrics port name
servicePortName: metrics
# -- ServiceMonitor relabel configs to apply to samples before scraping
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
relabelings: []
# -- ServiceMonitor metric relabel configs to apply to samples before ingestion
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint
metricRelabelings: []
# -- ServiceMonitor will add labels from the service to the Prometheus metric
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec
targetLabels: []
# -- the controller container's securityContext
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# -- enable persistence using postgres
persistence: {}
# connectionPool:
# maxIdleConns: 100
# maxOpenConns: 0
# # save the entire workflow into etcd and DB
# nodeStatusOffLoad: false
# # enable archiving of old workflows
# archive: false
# postgresql:
# host: localhost
# port: 5432
# database: postgres
# tableName: argo_workflows
# # the database secrets must be in the same namespace of the controller
# userNameSecret:
# name: argo-postgres-config
# key: username
# passwordSecret:
# name: argo-postgres-config
# key: password
# -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
# Only valid for 2.7+
## See more: https://argoproj.github.io/argo-workflows/default-workflow-specs/
workflowDefaults: {}
# spec:
# ttlStrategy:
# secondsAfterCompletion: 84600
# # Ref: https://argoproj.github.io/argo-workflows/artifact-repository-ref/
# artifactRepositoryRef:
# configMap: my-artifact-repository # default is "artifact-repositories"
# key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
# -- Number of workflow workers
workflowWorkers: # 32
# -- Restricts the Workflows that the controller will process.
# Only valid for 2.9+
workflowRestrictions: {}
# templateReferencing: Strict|Secure
# telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint
# as metrics by default, but can be overridden using this config.
telemetryConfig:
# -- Enables prometheus telemetry server
enabled: false
# -- telemetry path
path: /telemetry
# -- telemetry container port
port: 8081
# -- How often custom metrics are cleared from memory
metricsTTL: ""
# -- Flag that instructs prometheus to ignore metric emission errors.
ignoreErrors: false
# -- Flag that use a self-signed cert for TLS
secure: false
# -- telemetry service port
servicePort: 8081
# -- telemetry service port name
servicePortName: telemetry
serviceMonitor:
# -- Enable a prometheus ServiceMonitor
enabled: false
# -- Prometheus ServiceMonitor labels
additionalLabels: {}
# -- Prometheus ServiceMonitor namespace
namespace: "" # "monitoring"
serviceAccount:
# -- Create a service account for the controller
create: true
# -- Service account name
name: ""
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- Workflow controller name string
name: workflow-controller
# -- Specify all namespaces where this workflow controller instance will manage
# workflows. This controls where the service account and RBAC resources will
# be created. Only valid when singleNamespace is false.
workflowNamespaces:
- default
instanceID:
# -- Configures the controller to filter workflow submissions
# to only those which have a matching instanceID attribute.
## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
## or `instanceID.explicitID` must be defined.
enabled: false
# -- Use ReleaseName as instanceID
useReleaseName: false
# useReleaseName: true
# -- Use a custom instanceID
explicitID: ""
# explicitID: unique-argo-controller-identifier
logging:
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
level: info
# -- Set the glog logging level
globallevel: "0"
# -- Set the logging format (one of: `text`, `json`)
format: "text"
# -- Service type of the controller Service
serviceType: ClusterIP
# -- Annotations to be applied to the controller Service
serviceAnnotations: {}
# -- Optional labels to add to the controller Service
serviceLabels: {}
# -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
loadBalancerSourceRanges: []
# -- Resource limits and requests for the controller
resources: {}
# -- Configure liveness [probe] for the controller
# @default -- See [values.yaml]
livenessProbe:
httpGet:
port: 6060
path: /healthz
failureThreshold: 3
initialDelaySeconds: 90
periodSeconds: 60
timeoutSeconds: 30
# -- Extra environment variables to provide to the controller container
extraEnv: []
# - name: FOO
# value: "bar"
# -- Extra arguments to be added to the controller
extraArgs: []
# -- Additional volume mounts to the controller main container
volumeMounts: []
# -- Additional volumes to the controller pod
volumes: []
# -- The number of controller pods to run
replicas: 1
pdb:
# -- Configure [Pod Disruption Budget] for the controller pods
enabled: false
# minAvailable: 1
# maxUnavailable: 1
# -- [Node selector]
nodeSelector:
kubernetes.io/os: linux
# -- [Tolerations] for use with node taints
tolerations: []
# -- Assign custom [affinity] rules
affinity: {}
# -- Assign custom [TopologySpreadConstraints] rules to the workflow controller
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# -- Leverage a PriorityClass to ensure your pods survive resource shortages.
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
# -- Configure Argo Server to show custom [links]
## Ref: https://argoproj.github.io/argo-workflows/links/
links: []
# -- Configure Argo Server to show custom [columns]
## Ref: https://github.com/argoproj/argo-workflows/pull/10693
columns: []
# -- Set ui navigation bar background color
navColor: ""
clusterWorkflowTemplates:
# -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
enabled: true
# -- Extra containers to be added to the controller deployment
extraContainers: []
# -- Enables init containers to be added to the controller deployment
extraInitContainers: []
# -- Workflow retention by number of workflows
retentionPolicy: {}
# completed: 10
# failed: 3
# errored: 3
nodeEvents:
# -- Enable to emit events on node completion.
## This can take up a lot of space in k8s (typically etcd) resulting in errors when trying to create new events:
## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
enabled: true
# -- Configure when workflow controller runs in a different k8s cluster with the workflow workloads,
# or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret.
# @default -- `{}` (See [values.yaml])
kubeConfig: {}
# # name of the kubeconfig secret, may not be empty when kubeConfig specified
# secretName: kubeconfig-secret
# # key of the kubeconfig secret, may not be empty when kubeConfig specified
# secretKey: kubeconfig
# # mounting path of the kubeconfig secret, default to /kube/config
# mountPath: /kubeconfig/mount/path
# # volume name when mounting the secret, default to kubeconfig
# volumeName: kube-config-volume
# -- Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately.
# @default -- `30` seconds (Kubernetes default)
podGCGracePeriodSeconds:
# -- The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately.
# @default -- `5s` (Argo Workflows default)
podGCDeleteDelayDuration: ""
# mainContainer adds default config for main container that could be overriden in workflows template
mainContainer:
# -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`.
imagePullPolicy: ""
# -- Resource limits and requests for the Workflow main container
resources: {}
# -- Adds environment variables for the Workflow main container
env: []
# -- Adds reference environment variables for the Workflow main container
envFrom: []
# -- sets security context for the Workflow main container
securityContext: {}
# executor controls how the init and wait container should be customized
executor:
image:
# -- Registry to use for the Workflow Executors
registry: quay.io
# -- Repository to use for the Workflow Executors
repository: argoproj/argoexec
# -- Image tag for the workflow executor. Defaults to `.Values.images.tag`.
tag: ""
# -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`.
pullPolicy: ""
# -- Resource limits and requests for the Workflow Executors
resources: {}
# -- Passes arguments to the executor processes
args: []
# -- Adds environment variables for the executor.
env: []
# -- sets security context for the executor container
securityContext: {}
server:
# -- Deploy the Argo Server
enabled: true
# -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
## only updates base url of resources on client side,
## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
baseHref: /
image:
# -- Registry to use for the server
registry: quay.io
# -- Repository to use for the server
repository: argoproj/argocli
# -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
tag: ""
# -- optional map of annotations to be applied to the ui Deployment
deploymentAnnotations: {}
# -- optional map of annotations to be applied to the ui Pods
podAnnotations: {}
# -- Optional labels to add to the UI pods
podLabels: {}
# -- SecurityContext to set on the server pods
podSecurityContext: {}
rbac:
# -- Adds Role and RoleBinding for the server.
create: true
# -- Servers container-level security context
securityContext:
readOnlyRootFilesystem: false
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
# -- Server name string
name: server
# -- Service type for server pods
serviceType: ClusterIP
# -- Service port for server
servicePort: 2746
# -- Service node port
serviceNodePort: # 32746
# -- Service port name
servicePortName: "" # http
serviceAccount:
# -- Create a service account for the server
create: true
# -- Service account name
name: ""
# -- Labels applied to created service account
labels: {}
# -- Annotations applied to created service account
annotations: {}
# -- Annotations to be applied to the UI Service
serviceAnnotations: {}
# -- Optional labels to add to the UI Service
serviceLabels: {}
# -- Static IP address to assign to loadBalancer service type `LoadBalancer`
loadBalancerIP: ""
# -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
loadBalancerSourceRanges: []
# -- Resource limits and requests for the server
resources: {}
# -- The number of server pods to run
replicas: 1
## Argo Server Horizontal Pod Autoscaler
autoscaling:
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server
enabled: false
# -- Minimum number of replicas for the Argo Server [HPA]
minReplicas: 1
# -- Maximum number of replicas for the Argo Server [HPA]
maxReplicas: 5
# -- Average CPU utilization percentage for the Argo Server [HPA]
targetCPUUtilizationPercentage: 50
# -- Average memory utilization percentage for the Argo Server [HPA]
targetMemoryUtilizationPercentage: 50
# -- Configures the scaling behavior of the target in both Up and Down directions.
# This is only available on HPA apiVersion `autoscaling/v2beta2` and newer
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
pdb:
# -- Configure [Pod Disruption Budget] for the server pods
enabled: false
# minAvailable: 1
# maxUnavailable: 1
# -- [Node selector]
nodeSelector:
kubernetes.io/os: linux
# -- [Tolerations] for use with node taints
tolerations: []
# -- Assign custom [affinity] rules
affinity: {}
# -- Assign custom [TopologySpreadConstraints] rules to the argo server
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: DoNotSchedule
# -- Leverage a PriorityClass to ensure your pods survive resource shortages
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
priorityClassName: ""
# -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs.
## See the following documentation for more details on secure mode:
## https://argoproj.github.io/argo-workflows/tls/
secure: false
# -- Extra environment variables to provide to the argo-server container
extraEnv: []
# - name: FOO
# value: "bar"
# -- Extra arguments to provide to the Argo server binary, such as for disabling authentication.
extraArgs: []
# If you want to disable authentication for purposes such as:
# - local dev-mode without authentication
# - gateway authentication through some other service such as KeyCloak
# uncomment the lines below and comment out the default empty list `extraArgs: []` above:
# extraArgs:
# - --auth-mode=server
logging:
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
level: info
# -- Set the glog logging level
globallevel: "0"
# -- Set the logging format (one of: `text`, `json`)
format: "text"
# -- Additional volume mounts to the server main container.
volumeMounts: []
# -- Additional volumes to the server pod.
volumes: []
## Ingress configuration.
# ref: https://kubernetes.io/docs/user-guide/ingress/
ingress:
# -- Enable an ingress resource
enabled: false
# -- Additional ingress annotations
annotations: {}
# -- Additional ingress labels
labels: {}
# -- Defines which ingress controller will implement the resource
ingressClassName: ""
# -- List of ingress hosts
## Hostnames must be provided if Ingress is enabled.
## Secrets must be manually created in the namespace
hosts: []
# - argoworkflows.example.com
# -- List of ingress paths
paths:
- /
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
pathType: Prefix
# -- Additional ingress paths
extraPaths: []
# - path: /*
# backend:
# serviceName: ssl-redirect
# servicePort: use-annotation
## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
# - path: /*
# pathType: Prefix
# backend:
# service
# name: ssl-redirect
# port:
# name: use-annotation
# -- Ingress TLS configuration
tls: []
# - secretName: argoworkflows-example-tls
# hosts:
# - argoworkflows.example.com
## Create a Google Backendconfig for use with the GKE Ingress Controller
## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
GKEbackendConfig:
# -- Enable BackendConfig custom resource for Google Kubernetes Engine
enabled: false
# -- [BackendConfigSpec]
spec: {}
# spec:
# iap:
# enabled: true
# oauthclientCredentials:
# secretName: argoworkflows-secret
## Create a Google Managed Certificate for use with the GKE Ingress Controller
## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
GKEmanagedCertificate:
# -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
enabled: false
# -- Domains for the Google Managed Certificate
domains:
- argoworkflows.example.com
## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
GKEfrontendConfig:
# -- Enable FrontConfig custom resource for Google Kubernetes Engine
enabled: false
# -- [FrontendConfigSpec]
spec: {}
# spec:
# redirectToHttps:
# enabled: true
# responseCodeName: RESPONSE_CODE
clusterWorkflowTemplates:
# -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
enabled: true
# -- Give the server permissions to edit ClusterWorkflowTemplates.
enableEditing: true
# SSO configuration when SSO is specified as a server auth mode.
sso:
# -- Create SSO configuration
## SSO is activated by adding --auth-mode=sso to the server command line.
enabled: false
# -- The root URL of the OIDC identity provider
issuer: https://accounts.google.com
clientId:
# -- Name of secret to retrieve the app OIDC client ID
name: argo-server-sso
# -- Key of secret to retrieve the app OIDC client ID
key: client-id
clientSecret:
# -- Name of a secret to retrieve the app OIDC client secret
name: argo-server-sso
# -- Key of a secret to retrieve the app OIDC client secret
key: client-secret
# - The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
redirectUrl: https://argo/oauth2/callback
rbac:
# -- Adds ServiceAccount Policy to server (Cluster)Role.
enabled: true
# -- Whitelist to allow server to fetch Secrets
## When present, restricts secrets the server can read to a given list.
## You can use it to restrict the server to only be able to access the
## service account token secrets that are associated with service accounts
## used for authorization.
secretWhitelist: []
# -- Scopes requested from the SSO ID provider
## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
scopes: []
# - groups
# -- Define how long your login is valid for (in hours)
## If omitted, defaults to 10h.
sessionExpiry: ""
# -- Alternate root URLs that can be included for some OIDC providers
issuerAlias: ""
# -- Override claim name for OIDC groups
customGroupClaimName: ""
# -- Specify the user info endpoint that contains the groups claim
## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
userInfoPath: ""
# -- Skip TLS verification for the HTTP client
insecureSkipVerify: false
# -- Extra containers to be added to the server deployment
extraContainers: []
# -- Enables init containers to be added to the server deployment
extraInitContainers: []
# -- Array of extra K8s manifests to deploy
extraObjects: []
# - apiVersion: secrets-store.csi.x-k8s.io/v1
# kind: SecretProviderClass
# metadata:
# name: argo-server-sso
# spec:
# provider: aws
# parameters:
# objects: |
# - objectName: "argo/server/sso"
# objectType: "secretsmanager"
# jmesPath:
# - path: "client_id"
# objectAlias: "client_id"
# - path: "client_secret"
# objectAlias: "client_secret"
# secretObjects:
# - data:
# - key: client_id
# objectName: client_id
# - key: client_secret
# objectName: client_secret
# secretName: argo-server-sso-secrets-store
# type: Opaque
# -- Use static credentials for S3 (eg. when not using AWS IRSA)
useStaticCredentials: true
artifactRepository:
# -- Archive the main container logs as an artifact
archiveLogs: false
# -- Store artifact in a S3-compliant object store
# @default -- See [values.yaml]
s3: {}
# # Note the `key` attribute is not the actual secret, it's the PATH to
# # the contents in the associated secret, as defined by the `name` attribute.
# accessKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: accesskey
# secretKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: secretkey
# # insecure will disable TLS. Primarily used for minio installs not configured with TLS
# insecure: false
# bucket:
# endpoint:
# region:
# roleARN:
# useSDKCreds: true
# encryptionOptions:
# enableEncryption: true
# -- Store artifact in a GCS object store
# @default -- `{}` (See [values.yaml])
gcs: {}
# bucket: <project>-argo
# keyFormat: "{{ \"{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}\" }}"
# serviceAccountKeySecret is a secret selector.
# It references the k8s secret named 'my-gcs-credentials'.
# This secret is expected to have have the key 'serviceAccountKey',
# containing the base64 encoded credentials
# to the bucket.
#
# If it's running on GKE and Workload Identity is used,
# serviceAccountKeySecret is not needed.
# serviceAccountKeySecret:
# name: my-gcs-credentials
# key: serviceAccountKey
# -- Store artifact in Azure Blob Storage
# @default -- `{}` (See [values.yaml])
azure: {}
# endpoint: https://mystorageaccountname.blob.core.windows.net
# container: my-container-name
# blobNameFormat: path/in/container
## accountKeySecret is a secret selector.
## It references the k8s secret named 'my-azure-storage-credentials'.
## This secret is expected to have have the key 'account-access-key',
## containing the base64 encoded credentials to the storage account.
## If a managed identity has been assigned to the machines running the
## workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity)
## then accountKeySecret is not needed, and useSDKCreds should be
## set to true instead:
# useSDKCreds: true
# accountKeySecret:
# name: my-azure-storage-credentials
# key: account-access-key
# -- The section of custom artifact repository.
# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure)
customArtifactRepository: {}
# artifactory:
# repoUrl: https://artifactory.example.com/raw
# usernameSecret:
# name: artifactory-creds
# key: username
# passwordSecret:
# name: artifactory-creds
# key: password
# -- The section of [artifact repository ref](https://argoproj.github.io/argo-workflows/artifact-repository-ref/).
# Each map key is the name of configmap
# @default -- `{}` (See [values.yaml])
artifactRepositoryRef: {}
# # -- 1st ConfigMap
# # If you want to use this config map by default, name it "artifact-repositories".
# # Otherwise, you can provide a reference to a
# # different config map in `artifactRepositoryRef.configMap`.
# artifact-repositories:
# # -- v3.0 and after - if you want to use a specific key, put that key into this annotation.
# annotations:
# workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
# # 1st data of configmap. See above artifactRepository or customArtifactRepository.
# default-v1-s3-artifact-repository:
# archiveLogs: false
# s3:
# bucket: my-bucket
# endpoint: minio:9000
# insecure: true
# accessKeySecret:
# name: my-minio-cred
# key: accesskey
# secretKeySecret:
# name: my-minio-cred
# key: secretkey
# # 2nd data
# oss-artifact-repository:
# archiveLogs: false
# oss:
# endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
# bucket: $mybucket
# # accessKeySecret and secretKeySecret are secret selectors.
# # It references the k8s secret named 'bucket-workflow-artifect-credentials'.
# # This secret is expected to have have the keys 'accessKey'
# # and 'secretKey', containing the base64 encoded credentials
# # to the bucket.
# accessKeySecret:
# name: $mybucket-credentials
# key: accessKey
# secretKeySecret:
# name: $mybucket-credentials
# key: secretKey
# # 2nd ConfigMap
# another-artifact-repositories:
# annotations:
# workflows.argoproj.io/default-artifact-repository: gcs
# gcs:
# bucket: my-bucket
# keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
# serviceAccountKeySecret:
# name: my-gcs-credentials
# key: serviceAccountKey
emissary:
# -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.
## See more: https://argoproj.github.io/argo-workflows/workflow-executors/#emissary-emissary
images: []
# argoproj/argosay:v2:
# cmd: [/argosay]
# docker/whalesay:latest:
# cmd: [/bin/bash]