argo-workflows
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
## @param global.imageRegistry Global Docker image registry
15
## @param global.imagePullSecrets Global Docker registry secret names as an array
16
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
17
##
18
global:
19
imageRegistry: ""
20
## E.g.
21
## imagePullSecrets:
22
## - myRegistryKeySecretName
23
##
24
imagePullSecrets: []
25
defaultStorageClass: ""
26
## Security parameters
27
##
28
security:
29
## @param global.security.allowInsecureImages Allows skipping image verification
30
allowInsecureImages: false
31
## Compatibility adaptations for Kubernetes platforms
32
##
33
compatibility:
34
## Compatibility adaptations for Openshift
35
##
36
openshift:
37
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
38
##
39
adaptSecurityContext: auto
40
org: ""
41
## @section Common parameters
42
##
43
44
## @param kubeVersion Override Kubernetes version
45
##
46
kubeVersion: ""
47
## @param nameOverride String to partially override common.names.fullname
48
##
49
nameOverride: ""
50
## @param fullnameOverride String to fully override common.names.fullname
51
##
52
fullnameOverride: ""
53
## @param commonLabels Labels to add to all deployed objects
54
##
55
commonLabels: {}
56
## @param commonAnnotations Annotations to add to all deployed objects
57
##
58
commonAnnotations: {}
59
## @param clusterDomain Kubernetes cluster domain name
60
##
61
clusterDomain: cluster.local
62
## @param extraDeploy Array of extra objects to deploy with the release
63
##
64
extraDeploy: []
65
## @param rbac.singleNamespace Restrict Argo to only deploy into a single namespace by apply Roles and RoleBindings instead of the Cluster equivalents, and start argo-cli with the --namespaced flag. Use it in clusters with strict access policy.
66
##
67
rbac:
68
singleNamespace: false
69
## @param createAggregateRoles Create Aggregated cluster roles
70
##
71
createAggregateRoles: true
72
## @section Argo Workflows Server configuration parameters
73
##
74
75
## Argo Workflows server (based on the CLI) image
76
##
77
server:
78
## Chainguard Argo Workflow CLI image
79
## @param server.image.registry [default: REGISTRY_NAME] server image registry
80
## @param server.image.repository [default: REPOSITORY_NAME/argo-workflow-cli] server image repository
81
## @skip server.image.tag server image tag (immutable tags are recommended)
82
## @param server.image.digest server image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
83
## @param server.image.pullPolicy server image pull policy
84
## @param server.image.pullSecrets server image pull secrets
85
##
86
image:
87
registry: cgr.dev
88
repository: chainguard-private/argo-workflow-cli-iamguarded
89
tag: 3.7.10
90
digest: ""
91
## Specify a imagePullPolicy
92
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
93
##
94
pullPolicy: IfNotPresent
95
## Optionally specify an array of imagePullSecrets.
96
## Secrets must be manually created in the namespace.
97
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
98
## e.g:
99
## pullSecrets:
100
## - myRegistryKeySecretName
101
##
102
pullSecrets: []
103
## @param server.enabled Enable server deployment
104
##
105
enabled: true
106
## @param server.replicaCount Number of server replicas to deploy
107
##
108
replicaCount: 1
109
## Configure extra options for server containers' liveness and readiness probes
110
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
111
## @param server.livenessProbe.enabled Enable livenessProbe on server nodes
112
## @param server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
113
## @param server.livenessProbe.periodSeconds Period seconds for livenessProbe
114
## @param server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
115
## @param server.livenessProbe.failureThreshold Failure threshold for livenessProbe
116
## @param server.livenessProbe.successThreshold Success threshold for livenessProbe
117
##
118
livenessProbe:
119
enabled: true
120
initialDelaySeconds: 10
121
periodSeconds: 20
122
timeoutSeconds: 1
123
failureThreshold: 3
124
successThreshold: 1
125
## @param server.readinessProbe.enabled Enable readinessProbe on server nodes
126
## @param server.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
127
## @param server.readinessProbe.periodSeconds Period seconds for readinessProbe
128
## @param server.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
129
## @param server.readinessProbe.failureThreshold Failure threshold for readinessProbe
130
## @param server.readinessProbe.successThreshold Success threshold for readinessProbe
131
##
132
readinessProbe:
133
enabled: true
134
initialDelaySeconds: 10
135
periodSeconds: 20
136
timeoutSeconds: 1
137
failureThreshold: 3
138
successThreshold: 1
139
## @param server.startupProbe.enabled Enable startupProbe
140
## @param server.startupProbe.path Path to check for startupProbe
141
## @param server.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
142
## @param server.startupProbe.periodSeconds Period seconds for startupProbe
143
## @param server.startupProbe.timeoutSeconds Timeout seconds for startupProbe
144
## @param server.startupProbe.failureThreshold Failure threshold for startupProbe
145
## @param server.startupProbe.successThreshold Success threshold for startupProbe
146
##
147
startupProbe:
148
enabled: false
149
path: /
150
initialDelaySeconds: 300
151
periodSeconds: 10
152
timeoutSeconds: 5
153
failureThreshold: 6
154
successThreshold: 1
155
## @param server.customLivenessProbe Server custom livenessProbe that overrides the default one
156
##
157
customLivenessProbe: {}
158
## @param server.customReadinessProbe Server custom readinessProbe that overrides the default one
159
##
160
customReadinessProbe: {}
161
## @param server.customStartupProbe Server custom startupProbe that overrides the default one
162
##
163
customStartupProbe: {}
164
## server resource requests and limits
165
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
166
## @param server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production).
167
##
168
resourcesPreset: "nano"
169
## @param server.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
170
## Example:
171
## resources:
172
## requests:
173
## cpu: 2
174
## memory: 512Mi
175
## limits:
176
## cpu: 3
177
## memory: 1024Mi
178
##
179
resources: {}
180
## Configure Pods Security Context
181
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
182
## @param server.podSecurityContext.enabled Enabled server pods' Security Context
183
## @param server.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
184
## @param server.podSecurityContext.sysctls Set kernel settings using the sysctl interface
185
## @param server.podSecurityContext.supplementalGroups Set filesystem extra groups
186
## @param server.podSecurityContext.fsGroup Set server pod's Security Context fsGroup
187
##
188
podSecurityContext:
189
enabled: true
190
fsGroupChangePolicy: Always
191
sysctls: []
192
supplementalGroups: []
193
fsGroup: 1001
194
## Configure Container Security Context
195
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
196
## @param server.containerSecurityContext.enabled Enabled server containers' Security Context
197
## @param server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
198
## @param server.containerSecurityContext.runAsUser Set server containers' Security Context runAsUser
199
## @param server.containerSecurityContext.runAsGroup Set server containers' Security Context runAsGroup
200
## @param server.containerSecurityContext.runAsNonRoot Set server containers' Security Context runAsNonRoot
201
## @param server.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
202
## @param server.containerSecurityContext.privileged Set server container's Security Context privileged
203
## @param server.containerSecurityContext.allowPrivilegeEscalation Set server container's Security Context allowPrivilegeEscalation
204
## @param server.containerSecurityContext.capabilities.drop List of capabilities to be dropped
205
## @param server.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
206
##
207
containerSecurityContext:
208
enabled: true
209
seLinuxOptions: {}
210
runAsUser: 1001
211
runAsGroup: 1001
212
runAsNonRoot: true
213
privileged: false
214
allowPrivilegeEscalation: false
215
capabilities:
216
drop: ["ALL"]
217
seccompProfile:
218
type: "RuntimeDefault"
219
readOnlyRootFilesystem: true
220
## Create RBAC resources for the Argo workflows server
221
## @param server.rbac.create Create RBAC resources for the Argo workflows server
222
##
223
rbac:
224
create: true
225
## @param server.extraArgs Extra arguments for the server command line
226
##
227
extraArgs: ""
228
## Enable authentication with the specified mode
229
## Ref: https://argoproj.github.io/argo-workflows/argo-server-auth-mode/
230
##
231
auth:
232
## @param server.auth.enabled Enable authentication
233
##
234
enabled: true
235
## @param server.auth.mode Set authentication mode. Either `server`, `client` or `sso`.
236
##
237
mode: client
238
## SSO configuration when SSO is specified as a server auth mode.
239
## All the values are required. SSO is activated by adding --auth-mode=sso to the server command line.
240
## @param server.auth.sso.enabled Enable SSO configuration for the server auth mode
241
## @param server.auth.sso.config.issuer Root URL for the OIDC identity provider
242
## @param server.auth.sso.config.clientId.name Name of the secret containing the OIDC client ID
243
## @param server.auth.sso.config.clientId.key Key in the secret to obtain the OIDC client ID
244
## @param server.auth.sso.config.clientSecret.name Name of the secret containing the OIDC client secret
245
## @param server.auth.sso.config.clientSecret.key Key in the secret to obtain the OIDC client secret
246
## @param server.auth.sso.config.redirectUrl The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
247
## @param server.auth.sso.rbac.enabled Create RBAC resources for SSO
248
## @param server.auth.sso.rbac.secretWhitelist Restricts the secrets that the server can read
249
## @param server.auth.sso.scopes Scopes requested from the SSO ID provider
250
##
251
sso:
252
enabled: false
253
## The root URL of the OIDC identity provider.
254
## E.g.
255
## issuer: "https://accounts.google.com"
256
##
257
config:
258
issuer: ""
259
## Name of a secret and a key in it to retrieve the app OIDC client ID from.
260
##
261
clientId:
262
name: ""
263
key: ""
264
## Name of a secret and a key in it to retrieve the app OIDC client secret from.
265
##
266
clientSecret:
267
name: ""
268
key: ""
269
## The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
270
##
271
redirectUrl: ""
272
## Create RBAC resources for SSO
273
##
274
rbac:
275
enabled: true
276
## When present, restricts secrets the server can read to a given list.
277
## You can use it to restrict the server to only be able to access the
278
## service account token secrets that are associated with service accounts
279
## used for authorization.
280
##
281
secretWhitelist: []
282
## Scopes requested from the SSO ID provider. The 'groups' scope requests
283
## group membership information, which is usually used for authorization
284
## decisions.
285
##
286
scopes: []
287
## @param server.clusterWorkflowTemplates.enabled Create ClusterRole and CRB for the controoler to access ClusterWorkflowTemplates
288
## @param server.clusterWorkflowTemplates.enableEditing Give the server permissions to edit ClusterWorkflowTemplates
289
##
290
clusterWorkflowTemplates:
291
# Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
292
enabled: true
293
enableEditing: true
294
## Pod disruption budget configuration
295
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
296
## @param server.pdb.enabled Create Pod Disruption Budget for the server component
297
## @param server.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget
298
## @param server.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget
299
##
300
pdb:
301
enabled: true
302
minAvailable: ""
303
maxUnavailable: ""
304
## Run the argo server in "secure" mode.
305
## Ref: https://argoproj.github.io/argo-workflows/tls/
306
## @param server.secure Run Argo server in secure mode
307
##
308
secure: false
309
## Base URL for client resources
310
## Ref: https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
311
## @param server.baseHref Base href of the Argo Workflows deployment
312
##
313
baseHref: /
314
## Server container port
315
## @param server.containerPorts.web argo Server container port
316
##
317
containerPorts:
318
web: 2746
319
## Server Service Account
320
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
321
## @param server.serviceAccount.create Specifies whether a ServiceAccount should be created
322
## @param server.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
323
## @param server.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
324
## @param server.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
325
##
326
serviceAccount:
327
create: true
328
name: ""
329
automountServiceAccountToken: false
330
annotations: {}
331
## @param server.command Override default container command (useful when using custom images)
332
##
333
command: []
334
## @param server.args Override default container args (useful when using custom images)
335
##
336
args: []
337
## @param server.automountServiceAccountToken Mount Service Account token in pod
338
##
339
automountServiceAccountToken: true
340
## @param server.hostAliases server pods host aliases
341
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
342
##
343
hostAliases: []
344
## @param server.podLabels Extra labels for server pods
345
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
346
##
347
podLabels: {}
348
## @param server.podAnnotations Annotations for server pods
349
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
350
##
351
podAnnotations: {}
352
## @param server.podAffinityPreset Pod affinity preset. Ignored if `server.affinity` is set. Allowed values: `soft` or `hard`
353
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
354
##
355
podAffinityPreset: ""
356
## @param server.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `server.affinity` is set. Allowed values: `soft` or `hard`
357
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
358
##
359
podAntiAffinityPreset: soft
360
## Node server.affinity preset
361
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
362
##
363
nodeAffinityPreset:
364
## @param server.nodeAffinityPreset.type Node affinity preset type. Ignored if `server.affinity` is set. Allowed values: `soft` or `hard`
365
##
366
type: ""
367
## @param server.nodeAffinityPreset.key Node label key to match. Ignored if `server.affinity` is set
368
##
369
key: ""
370
## @param server.nodeAffinityPreset.values Node label values to match. Ignored if `server.affinity` is set
371
## E.g.
372
## values:
373
## - e2e-az1
374
## - e2e-az2
375
##
376
values: []
377
## @param server.affinity Affinity for server pods assignment
378
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
379
## NOTE: `server.podAffinityPreset`, `server.podAntiAffinityPreset`, and `server.nodeAffinityPreset` will be ignored when it's set
380
##
381
affinity: {}
382
## @param server.nodeSelector Node labels for server pods assignment
383
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
384
##
385
nodeSelector: {}
386
## @param server.tolerations Tolerations for server pods assignment
387
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
388
##
389
tolerations: []
390
## @param server.updateStrategy.type server statefulset strategy type
391
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
392
##
393
updateStrategy:
394
## StrategyType
395
## Can be set to RollingUpdate or OnDelete
396
##
397
type: RollingUpdate
398
## @param server.topologySpreadConstraints Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in
399
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
400
##
401
## topologySpreadConstraints:
402
## - maxSkew: 1
403
## topologyKey: failure-domain.beta.kubernetes.io/zone
404
## whenUnsatisfiable: DoNotSchedule
405
##
406
topologySpreadConstraints: []
407
## @param server.schedulerName Alternate scheduler for the server deployment
408
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
409
##
410
schedulerName: ""
411
## @param server.priorityClassName server pods' priorityClassName
412
##
413
priorityClassName: ""
414
## @param server.lifecycleHooks for the server container(s) to automate configuration before or after startup
415
##
416
lifecycleHooks: {}
417
## @param server.extraEnvVars Array with extra environment variables to add to server nodes
418
## e.g:
419
## extraEnvVars:
420
## - name: FOO
421
## value: "bar"
422
##
423
extraEnvVars: []
424
## @param server.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for server nodes
425
##
426
extraEnvVarsCM: ""
427
## @param server.extraEnvVarsSecret Name of existing Secret containing extra env vars for server nodes
428
##
429
extraEnvVarsSecret: ""
430
## @param server.extraVolumes Optionally specify extra list of additional volumes for the server pod(s)
431
##
432
extraVolumes: []
433
## @param server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the server container(s)
434
##
435
extraVolumeMounts: []
436
## @param server.sidecars Add additional sidecar containers to the server pod(s)
437
## e.g:
438
## sidecars:
439
## - name: your-image-name
440
## image: your-image
441
## imagePullPolicy: Always
442
## ports:
443
## - name: portname
444
## containerPort: 1234
445
##
446
sidecars: []
447
## @param server.initContainers Add additional init containers to the server pod(s)
448
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
449
## e.g:
450
## initContainers:
451
## - name: your-image-name
452
## image: your-image
453
## imagePullPolicy: Always
454
## command: ['sh', '-c', 'echo "hello world"']
455
##
456
initContainers: []
457
## Server service parameters
458
##
459
service:
460
## @param server.service.type server service type
461
##
462
type: ClusterIP
463
## @param server.service.ports.http server service HTTP port
464
##
465
ports:
466
http: 80
467
## Node ports to expose
468
## @param server.service.nodePorts.http Node port for HTTP
469
## NOTE: choose port between <30000-32767>
470
##
471
nodePorts:
472
http: ""
473
## @param server.service.clusterIP server service Cluster IP
474
## e.g.:
475
## clusterIP: None
476
##
477
clusterIP: ""
478
## @param server.service.loadBalancerIP server service Load Balancer IP
479
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
480
##
481
loadBalancerIP: ""
482
## @param server.service.loadBalancerSourceRanges server service Load Balancer sources
483
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
484
## e.g:
485
## loadBalancerSourceRanges:
486
## - 10.10.10.0/24
487
##
488
loadBalancerSourceRanges: []
489
## @param server.service.externalTrafficPolicy server service external traffic policy
490
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
491
##
492
externalTrafficPolicy: Cluster
493
## @param server.service.annotations Additional custom annotations for server service
494
##
495
annotations: {}
496
## @param server.service.extraPorts Extra port to expose on the server service
497
##
498
extraPorts: []
499
## Network Policies
500
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
501
##
502
networkPolicy:
503
## @param server.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
504
##
505
enabled: true
506
## @param server.networkPolicy.allowExternal Don't require server label for connections
507
## The Policy model to apply. When set to false, only pods with the correct
508
## server label will have network access to the ports server is listening
509
## on. When true, server will accept connections from any source
510
## (with the correct destination port).
511
##
512
allowExternal: true
513
## @param server.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
514
##
515
allowExternalEgress: true
516
## @param server.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
517
##
518
kubeAPIServerPorts: [443, 6443, 8443]
519
## @param server.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
520
## e.g:
521
## extraIngress:
522
## - ports:
523
## - port: 1234
524
## from:
525
## - podSelector:
526
## - matchLabels:
527
## - role: frontend
528
## - podSelector:
529
## - matchExpressions:
530
## - key: role
531
## operator: In
532
## values:
533
## - frontend
534
extraIngress: []
535
## @param server.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)
536
## e.g:
537
## extraEgress:
538
## - ports:
539
## - port: 1234
540
## to:
541
## - podSelector:
542
## - matchLabels:
543
## - role: frontend
544
## - podSelector:
545
## - matchExpressions:
546
## - key: role
547
## operator: In
548
## values:
549
## - frontend
550
##
551
extraEgress: []
552
## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
553
## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
554
##
555
ingressNSMatchLabels: {}
556
ingressNSPodMatchLabels: {}
557
## @section Argo Workflows Controller configuration parameters
558
##
559
560
## Argo Workflows Controller
561
##
562
controller:
563
## Chainguard Argo Workflow Controller image
564
## @param controller.image.registry [default: REGISTRY_NAME] controller image registry
565
## @param controller.image.repository [default: REPOSITORY_NAME/argo-workflow-controller] controller image repository
566
## @skip controller.image.tag controller image tag (immutable tags are recommended)
567
## @param controller.image.digest controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
568
## @param controller.image.pullPolicy controller image pull policy
569
## @param controller.image.pullSecrets controller image pull secrets
570
##
571
image:
572
registry: cgr.dev
573
repository: chainguard-private/argo-workflow-controller-iamguarded
574
tag: 3.7.10
575
digest: ""
576
## Specify a imagePullPolicy
577
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
578
##
579
pullPolicy: IfNotPresent
580
## Optionally specify an array of imagePullSecrets.
581
## Secrets must be manually created in the namespace.
582
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
583
## e.g:
584
## pullSecrets:
585
## - myRegistryKeySecretName
586
##
587
pullSecrets: []
588
## @param controller.replicaCount Number of controller replicas to deploy
589
##
590
replicaCount: 1
591
## Configure extra options for controller containers' liveness and readiness probes
592
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
593
## @param controller.livenessProbe.enabled Enable livenessProbe on controller nodes
594
## @param controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
595
## @param controller.livenessProbe.periodSeconds Period seconds for livenessProbe
596
## @param controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
597
## @param controller.livenessProbe.failureThreshold Failure threshold for livenessProbe
598
## @param controller.livenessProbe.successThreshold Success threshold for livenessProbe
599
##
600
livenessProbe:
601
enabled: true
602
initialDelaySeconds: 90
603
periodSeconds: 60
604
timeoutSeconds: 30
605
failureThreshold: 3
606
successThreshold: 1
607
## @param controller.readinessProbe.enabled Enable readinessProbe on controller nodes
608
## @param controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
609
## @param controller.readinessProbe.periodSeconds Period seconds for readinessProbe
610
## @param controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
611
## @param controller.readinessProbe.failureThreshold Failure threshold for readinessProbe
612
## @param controller.readinessProbe.successThreshold Success threshold for readinessProbe
613
##
614
readinessProbe:
615
enabled: true
616
initialDelaySeconds: 30
617
periodSeconds: 60
618
timeoutSeconds: 30
619
failureThreshold: 3
620
successThreshold: 1
621
## @param controller.startupProbe.enabled Enable startupProbe
622
## @param controller.startupProbe.path Path to check for startupProbe
623
## @param controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
624
## @param controller.startupProbe.periodSeconds Period seconds for startupProbe
625
## @param controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe
626
## @param controller.startupProbe.failureThreshold Failure threshold for startupProbe
627
## @param controller.startupProbe.successThreshold Success threshold for startupProbe
628
##
629
startupProbe:
630
enabled: false
631
path: /
632
initialDelaySeconds: 300
633
periodSeconds: 10
634
timeoutSeconds: 5
635
failureThreshold: 6
636
successThreshold: 1
637
## @param controller.customLivenessProbe Controller custom livenessProbe that overrides the default one
638
##
639
customLivenessProbe: {}
640
## @param controller.customReadinessProbe Controller custom readinessProbe that overrides the default one
641
##
642
customReadinessProbe: {}
643
## @param controller.customStartupProbe Controller custom startupProbe that overrides the default one
644
##
645
customStartupProbe: {}
646
## controller resource requests and limits
647
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
648
## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
649
##
650
resourcesPreset: "nano"
651
## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
652
## Example:
653
## resources:
654
## requests:
655
## cpu: 2
656
## memory: 512Mi
657
## limits:
658
## cpu: 3
659
## memory: 1024Mi
660
##
661
resources: {}
662
## Configure Pods Security Context
663
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
664
## @param controller.podSecurityContext.enabled Enabled controller pods' Security Context
665
## @param controller.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
666
## @param controller.podSecurityContext.sysctls Set kernel settings using the sysctl interface
667
## @param controller.podSecurityContext.supplementalGroups Set filesystem extra groups
668
## @param controller.podSecurityContext.fsGroup Set controller pod's Security Context fsGroup
669
##
670
podSecurityContext:
671
enabled: true
672
fsGroupChangePolicy: Always
673
sysctls: []
674
supplementalGroups: []
675
fsGroup: 1001
676
## Configure Container Security Context
677
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
678
## @param controller.containerSecurityContext.enabled Enabled controller containers' Security Context
679
## @param controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
680
## @param controller.containerSecurityContext.runAsUser Set controller containers' Security Context runAsUser
681
## @param controller.containerSecurityContext.runAsGroup Set controller containers' Security Context runAsGroup
682
## @param controller.containerSecurityContext.runAsNonRoot Set controller containers' Security Context runAsNonRoot
683
## @param controller.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
684
## @param controller.containerSecurityContext.privileged Set controller container's Security Context privileged
685
## @param controller.containerSecurityContext.allowPrivilegeEscalation Set controller container's Security Context allowPrivilegeEscalation
686
## @param controller.containerSecurityContext.capabilities.drop List of capabilities to be dropped
687
## @param controller.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
688
##
689
containerSecurityContext:
690
enabled: true
691
seLinuxOptions: {}
692
runAsUser: 1001
693
runAsGroup: 1001
694
runAsNonRoot: true
695
privileged: false
696
allowPrivilegeEscalation: false
697
capabilities:
698
drop: ["ALL"]
699
seccompProfile:
700
type: "RuntimeDefault"
701
readOnlyRootFilesystem: true
702
## Server container port
703
## @param controller.containerPorts.metrics Port to expose controller metrics
704
## @param controller.containerPorts.telemetry Port to expose controller telemetry
705
##
706
containerPorts:
707
metrics: 9090
708
telemetry: 8081
709
## Create RBAC resources for the Argo workflows controller
710
## @param controller.rbac.create Create RBAC resources for the Argo workflows controller
711
##
712
rbac:
713
create: true
714
## Use an existing configmap instead of creating a configmap with the specified parameters
715
## @param controller.existingConfigMap
716
##
717
existingConfigMap: ""
718
## @param controller.extraArgs Extra arguments for the controller command line
719
##
720
extraArgs: ""
721
##
722
## @param controller.persistence.archive.enabled Save completed workflows to an SQL database.
723
persistence:
724
archive:
725
enabled: false
726
## Controller configmap configuration content. Requires controller.existingConfigmap to be empty.
727
## @param controller.config [object] Controller configmap configuration content
728
##
729
config: |
730
{{- if .Values.controller.instanceID.enabled }}
731
{{- if .Values.controller.instanceID.useReleaseName }}
732
instanceID: {{ .Release.Name }}
733
{{- else }}
734
instanceID: {{ .Values.controller.instanceID.explicitID }}
735
{{- end }}
736
{{- end }}
737
## How many workflows can be running at the same time
738
##
739
parallelism:
740
## Maximun number of workflows running in a namespace
741
##
742
namespaceParallelism:
743
{{- if or .Values.executor.resources .Values.executor.extraEnvVars .Values.executor.containerSecurityContext }}
744
executor:
745
{{- if .Values.executor.resources }}
746
resources: {{- include "common.tplvalues.render" (dict "value" .Values.executor.resources "context" $) | nindent 4 }}
747
{{- else if ne .Values.executor.resourcesPreset "none" }}
748
resources: {{- include "common.resources.preset" (dict "type" .Values.executor.resourcesPreset) | nindent 4 }}
749
{{- end }}
750
{{- if .Values.executor.extraEnvVars }}
751
env: {{- include "common.tplvalues.render" (dict "value" .Values.executor.extraEnvVars "context" $) | nindent 4 }}
752
{{- end }}
753
{{- if .Values.executor.containerSecurityContext }}
754
securityContext: {{- omit .Values.executor.containerSecurityContext "enabled" | toYaml | nindent 4 }}
755
{{- end }}
756
{{- end }}
757
## Uncomment to enable Artofact repository with the provided configuration
758
## artifactRepository:
759
## archiveLogs: false
760
## configuration: {}
761
##
762
{{- if .Values.controller.metrics.enabled }}
763
metricsConfig: {{- include "common.tplvalues.render" (dict "value" .Values.controller.metrics "context" $) | nindent 2 }}
764
{{- end }}
765
{{- if .Values.controller.telemetry.enabled }}
766
telemetryConfig: {{- include "common.tplvalues.render" (dict "value" .Values.controller.telemetry "context" $) | nindent 2 }}
767
{{- end }}
768
{{- if (include "argo-workflows.controller.persistence.enabled" .) }}
769
persistence:
770
connectionPool:
771
maxIdleConns: 100
772
maxOpenConns: 0
773
nodeStatusOffLoad: false
774
archive: {{ include "common.tplvalues.render" (dict "value" .Values.controller.persistence.archive.enabled "context" $) }}
775
{{- if or .Values.postgresql.enabled (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "postgresql")) }}
776
postgresql:
777
{{- else if or .Values.mysql.enabled (and .Values.externalDatabase.enabled (eq .Values.externalDatabase.type "mysql")) }}
778
mysql:
779
{{- end }}
780
host: {{ include "argo-workflows.controller.database.host" . }}
781
port: {{ include "argo-workflows.controller.database.port" . }}
782
database: {{ include "argo-workflows.controller.database" . }}
783
tableName: argo_workflows
784
## the database secrets must be in the same namespace of the controller
785
##
786
userNameSecret:
787
name: {{ include "argo-workflows.controller.database.username.secret" . }}
788
key: username
789
passwordSecret:
790
name: {{ include "argo-workflows.controller.database.password.secret" . }}
791
key: {{ include "argo-workflows.controller.database.password.secret.key" . }}
792
{{- end }}
793
{{- if .Values.controller.workflowDefaults }}
794
workflowDefaults: {{- include "common.tplvalues.render" (dict "value" .Values.controller.workflowDefaults "context" $) | nindent 2 }}
795
{{- end }}
796
{{- if and .Values.server.auth.enabled .Values.server.auth.sso.enabled }}
797
sso: {{- include "common.tplvalues.render" (dict "value" .Values.server.auth.sso.config "context" $) | nindent 2 }}
798
{{- end }}
799
## Uncomment to set workflowRestrictions
800
## Ref: https://argoproj.github.io/argo-workflows/workflow-restrictions/
801
## workflowRestrictions: {}
802
## Uncomment to set links
803
## Ref: https://argoproj.github.io/argo-workflows/links/
804
## links: {}
805
##
806
## Configure the controller to accept only submissions with a matching instanceID attribute
807
## @param controller.instanceID.enabled Enable submission filtering based on instanceID attribute. Requires to set instanceID.useReleaseName or instanceID.explicitID
808
## @param controller.instanceID.useReleaseName Use the release name to filter submissions
809
## @param controller.instanceID.explicitID Filter submissions based on an explicit instance ID
810
##
811
instanceID:
812
enabled: false
813
## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName` or `instanceID.explicitID` must be defined.
814
##
815
useReleaseName: false
816
explicitID: ""
817
## @param controller.clusterWorkflowTemplates.enabled Whether to create a ClusterRole and Cluster Role Binding to access ClusterWokflowTemplates resources
818
##
819
clusterWorkflowTemplates:
820
enabled: true
821
## Metrics configuration for the controller
822
## @param controller.metrics.enabled Enable controller metrics exporter
823
## @param controller.metrics.path Path to expose controller metrics
824
## @param controller.metrics.serviceMonitor.enabled Enable prometheus service monitor configuration
825
##
826
metrics:
827
enabled: false
828
path: /metrics
829
serviceMonitor:
830
enabled: false
831
## Telemetry configuration for the controller
832
## @param controller.telemetry.enabled Enable telemetry for the controller
833
## @param controller.telemetry.path Path to expose telemetry information
834
##
835
telemetry:
836
enabled: false
837
path: /telemetry
838
## Number of workflow workers to deploy
839
## @param controller.workflowWorkers Number of workflow workers to deploy
840
##
841
workflowWorkers: 32
842
## Namespaces allowed to run workflows
843
## @param controller.workflowNamespaces Namespaces allowed to run workflows
844
##
845
workflowNamespaces:
846
- default
847
## Default Workflow Values
848
## Ref: https://argoproj.github.io/argo-workflows/default-workflow-specs/#setting-default-workflow-values
849
## @param controller.workflowDefaults Default Workflow Values
850
##
851
workflowDefaults: {}
852
## Logging level for the controller
853
## @param controller.logging.level Level for the controller logging
854
## @param controller.logging.globalLevel Global logging level for the controller
855
##
856
logging:
857
level: info
858
globalLevel: "0"
859
## Pod disruption budget configuration
860
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
861
## @param controller.pdb.enabled Create Pod Disruption Budget for the controller component
862
## @param controller.pdb.minAvailable Sets the min number of pods availables for the Pod Disruption Budget
863
## @param controller.pdb.maxUnavailable Sets the max number of pods unavailable for the Pod Disruption Budget
864
##
865
pdb:
866
enabled: true
867
minAvailable: ""
868
maxUnavailable: ""
869
## Controller Service Account
870
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
871
## @param controller.serviceAccount.create Specifies whether a ServiceAccount should be created
872
## @param controller.serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
873
## @param controller.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
874
## @param controller.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
875
##
876
serviceAccount:
877
create: true
878
name: ""
879
automountServiceAccountToken: false
880
annotations: {}
881
## @param controller.command Override default container command (useful when using custom images)
882
##
883
command: []
884
## @param controller.args Override default container args (useful when using custom images)
885
##
886
args: []
887
## @param controller.automountServiceAccountToken Mount Service Account token in pod
888
##
889
automountServiceAccountToken: true
890
## @param controller.hostAliases controller pods host aliases
891
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
892
##
893
hostAliases: []
894
## @param controller.podLabels Extra labels for controller pods
895
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
896
##
897
podLabels: {}
898
## @param controller.podAnnotations Annotations for controller pods
899
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
900
##
901
podAnnotations: {}
902
## @param controller.podAffinityPreset Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
903
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
904
##
905
podAffinityPreset: ""
906
## @param controller.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
907
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
908
##
909
podAntiAffinityPreset: soft
910
## Node controller.affinity preset
911
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
912
##
913
nodeAffinityPreset:
914
## @param controller.nodeAffinityPreset.type Node affinity preset type. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
915
##
916
type: ""
917
## @param controller.nodeAffinityPreset.key Node label key to match. Ignored if `controller.affinity` is set
918
##
919
key: ""
920
## @param controller.nodeAffinityPreset.values Node label values to match. Ignored if `controller.affinity` is set
921
## E.g.
922
## values:
923
## - e2e-az1
924
## - e2e-az2
925
##
926
values: []
927
## @param controller.affinity Affinity for controller pods assignment
928
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
929
## NOTE: `controller.podAffinityPreset`, `controller.podAntiAffinityPreset`, and `controller.nodeAffinityPreset` will be ignored when it's set
930
##
931
affinity: {}
932
## @param controller.nodeSelector Node labels for controller pods assignment
933
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
934
##
935
nodeSelector: {}
936
## @param controller.tolerations Tolerations for controller pods assignment
937
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
938
##
939
tolerations: []
940
## @param controller.updateStrategy.type controller statefulset strategy type
941
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
942
##
943
updateStrategy:
944
## StrategyType
945
## Can be set to RollingUpdate or OnDelete
946
##
947
type: RollingUpdate
948
## @param controller.topologySpreadConstraints Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in
949
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
950
##
951
## topologySpreadConstraints:
952
## - maxSkew: 1
953
## topologyKey: failure-domain.beta.kubernetes.io/zone
954
## whenUnsatisfiable: DoNotSchedule
955
##
956
topologySpreadConstraints: []
957
## @param controller.schedulerName Alternate scheduler for the server controller
958
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
959
##
960
schedulerName: ""
961
## @param controller.priorityClassName controller pods' priorityClassName
962
##
963
priorityClassName: ""
964
## @param controller.lifecycleHooks for the controller container(s) to automate configuration before or after startup
965
##
966
lifecycleHooks: {}
967
## @param controller.extraEnvVars Array with extra environment variables to add to controller nodes
968
## e.g:
969
## extraEnvVars:
970
## - name: FOO
971
## value: "bar"
972
##
973
extraEnvVars: []
974
## @param controller.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for controller nodes
975
##
976
extraEnvVarsCM: ""
977
## @param controller.extraEnvVarsSecret Name of existing Secret containing extra env vars for controller nodes
978
##
979
extraEnvVarsSecret: ""
980
## @param controller.extraVolumes Optionally specify extra list of additional volumes for the controller pod(s)
981
##
982
extraVolumes: []
983
## @param controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the controller container(s)
984
##
985
extraVolumeMounts: []
986
## @param controller.sidecars Add additional sidecar containers to the controller pod(s)
987
## e.g:
988
## sidecars:
989
## - name: your-image-name
990
## image: your-image
991
## imagePullPolicy: Always
992
## ports:
993
## - name: portname
994
## containerPort: 1234
995
##
996
sidecars: []
997
## @param controller.initContainers Add additional init containers to the controller pod(s)
998
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
999
## e.g:
1000
## initContainers:
1001
## - name: your-image-name
1002
## image: your-image
1003
## imagePullPolicy: Always
1004
## command: ['sh', '-c', 'echo "hello world"']
1005
##
1006
initContainers: []
1007
## Controller service parameters
1008
##
1009
service:
1010
## @param controller.service.type controller service type
1011
##
1012
type: ClusterIP
1013
## @param controller.service.ports.metrics Metrics port for the controller
1014
## @param controller.service.ports.telemetry Telemetry port for the controller
1015
##
1016
ports:
1017
metrics: 8080
1018
telemetry: 8081
1019
## Node ports to expose
1020
## @param controller.service.nodePorts.metrics Node port for HTTP
1021
## @param controller.service.nodePorts.telemetry Node port for HTTPS
1022
## NOTE: choose port between <30000-32767>
1023
##
1024
nodePorts:
1025
metrics: ""
1026
telemetry: ""
1027
## @param controller.service.clusterIP controller service Cluster IP
1028
## e.g.:
1029
## clusterIP: None
1030
##
1031
clusterIP: ""
1032
## @param controller.service.loadBalancerIP controller service Load Balancer IP
1033
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1034
##
1035
loadBalancerIP: ""
1036
## @param controller.service.loadBalancerSourceRanges controller service Load Balancer sources
1037
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1038
## e.g:
1039
## loadBalancerSourceRanges:
1040
## - 10.10.10.0/24
1041
##
1042
loadBalancerSourceRanges: []
1043
## @param controller.service.externalTrafficPolicy controller service external traffic policy
1044
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1045
##
1046
externalTrafficPolicy: Cluster
1047
## @param controller.service.annotations Additional custom annotations for controller service
1048
##
1049
annotations: {}
1050
## @param controller.service.extraPorts Extra port to expose on the controller service
1051
##
1052
extraPorts: []
1053
## Network Policies
1054
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1055
##
1056
networkPolicy:
1057
## @param controller.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1058
##
1059
enabled: true
1060
## @param controller.networkPolicy.allowExternal Don't require server label for connections
1061
## The Policy model to apply. When set to false, only pods with the correct
1062
## server label will have network access to the ports server is listening
1063
## on. When true, server will accept connections from any source
1064
## (with the correct destination port).
1065
##
1066
allowExternal: true
1067
## @param controller.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1068
##
1069
allowExternalEgress: true
1070
## @param controller.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
1071
##
1072
kubeAPIServerPorts: [443, 6443, 8443]
1073
## @param controller.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1074
## e.g:
1075
## extraIngress:
1076
## - ports:
1077
## - port: 1234
1078
## from:
1079
## - podSelector:
1080
## - matchLabels:
1081
## - role: frontend
1082
## - podSelector:
1083
## - matchExpressions:
1084
## - key: role
1085
## operator: In
1086
## values:
1087
## - frontend
1088
extraIngress: []
1089
## @param controller.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true)
1090
## e.g:
1091
## extraEgress:
1092
## - ports:
1093
## - port: 1234
1094
## to:
1095
## - podSelector:
1096
## - matchLabels:
1097
## - role: frontend
1098
## - podSelector:
1099
## - matchExpressions:
1100
## - key: role
1101
## operator: In
1102
## values:
1103
## - frontend
1104
##
1105
extraEgress: []
1106
## @param controller.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1107
## @param controller.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1108
##
1109
ingressNSMatchLabels: {}
1110
ingressNSPodMatchLabels: {}
1111
## @section Executor configuration section
1112
##
1113
executor:
1114
## Chainguard Argo Workflow Executor image
1115
## @param executor.image.registry [default: REGISTRY_NAME] executor image registry
1116
## @param executor.image.repository [default: REPOSITORY_NAME/argo-workflow-exec] executor image repository
1117
## @skip executor.image.tag executor image tag (immutable tags are recommended)
1118
## @param executor.image.digest executor image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1119
## @param executor.image.pullPolicy executor image pull policy
1120
## @param executor.image.pullSecrets executor image pull secrets
1121
##
1122
image:
1123
registry: cgr.dev
1124
repository: chainguard-private/argo-workflow-exec-iamguarded
1125
tag: 3.7.10
1126
digest: ""
1127
## Specify a imagePullPolicy
1128
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1129
##
1130
pullPolicy: IfNotPresent
1131
## Optionally specify an array of imagePullSecrets.
1132
## Secrets must be manually created in the namespace.
1133
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1134
## e.g:
1135
## pullSecrets:
1136
## - myRegistryKeySecretName
1137
##
1138
pullSecrets: []
1139
## Init container's resource requests and limits
1140
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1141
## @param executor.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if executor.resources is set (executor.resources is recommended for production).
1142
##
1143
resourcesPreset: "nano"
1144
## @param executor.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1145
## Example:
1146
## resources:
1147
## requests:
1148
## cpu: 2
1149
## memory: 512Mi
1150
## limits:
1151
## cpu: 3
1152
## memory: 1024Mi
1153
##
1154
resources: {}
1155
## @param executor.extraEnvVars Array with extra environment variables to add to server nodes
1156
## e.g:
1157
## extraEnvVars:
1158
## - name: FOO
1159
## value: "bar"
1160
##
1161
extraEnvVars: []
1162
## Configure Container Security Context
1163
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1164
## @param executor.containerSecurityContext.enabled Enabled executor containers' Security Context
1165
## @param executor.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1166
## @param executor.containerSecurityContext.runAsUser Set executor containers' Security Context runAsUser
1167
## @param executor.containerSecurityContext.runAsGroup Set executor containers' Security Context runAsGroup
1168
## @param executor.containerSecurityContext.runAsNonRoot Set executor containers' Security Context runAsNonRoot
1169
## @param executor.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
1170
## @param executor.containerSecurityContext.privileged Set executor container's Security Context privileged
1171
## @param executor.containerSecurityContext.allowPrivilegeEscalation Set executor container's Security Context allowPrivilegeEscalation
1172
## @param executor.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1173
## @param executor.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1174
##
1175
containerSecurityContext:
1176
enabled: true
1177
seLinuxOptions: {}
1178
runAsUser: 1001
1179
runAsGroup: 1001
1180
runAsNonRoot: true
1181
privileged: false
1182
allowPrivilegeEscalation: false
1183
capabilities:
1184
drop: ["ALL"]
1185
seccompProfile:
1186
type: "RuntimeDefault"
1187
readOnlyRootFilesystem: true
1188
## @section Traffic Exposure Parameters
1189
##
1190
1191
## Server ingress parameters
1192
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
1193
##
1194
ingress:
1195
## @param ingress.enabled Enable ingress record generation for server
1196
##
1197
enabled: false
1198
## @param ingress.pathType Ingress path type
1199
##
1200
pathType: ImplementationSpecific
1201
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
1202
##
1203
apiVersion: ""
1204
## @param ingress.hostname Default host for the ingress record
1205
##
1206
hostname: server.local
1207
## @param ingress.path Default path for the ingress record
1208
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
1209
##
1210
path: /
1211
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1212
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster.
1213
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
1214
##
1215
ingressClassName: ""
1216
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
1217
## For a full list of possible ingress annotations, please see
1218
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
1219
## Use this parameter to set the required annotations for cert-manager, see
1220
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
1221
##
1222
## e.g:
1223
## annotations:
1224
## kubernetes.io/ingress.class: nginx
1225
## cert-manager.io/cluster-issuer: cluster-issuer-name
1226
##
1227
annotations: {}
1228
## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
1229
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
1230
## You can:
1231
## - Use the `ingress.secrets` parameter to create this TLS secret
1232
## - Rely on cert-manager to create it by setting the corresponding annotations
1233
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
1234
##
1235
tls: false
1236
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
1237
##
1238
selfSigned: false
1239
## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
1240
## e.g:
1241
## extraHosts:
1242
## - name: server.local
1243
## path: /
1244
##
1245
extraHosts: []
1246
## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
1247
## e.g:
1248
## extraPaths:
1249
## - path: /*
1250
## backend:
1251
## serviceName: ssl-redirect
1252
## servicePort: use-annotation
1253
##
1254
extraPaths: []
1255
## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
1256
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1257
## e.g:
1258
## extraTls:
1259
## - hosts:
1260
## - server.local
1261
## secretName: server.local-tls
1262
##
1263
extraTls: []
1264
## @param ingress.secrets Custom TLS certificates as secrets
1265
## NOTE: 'key' and 'certificate' are expected in PEM format
1266
## NOTE: 'name' should line up with a 'secretName' set further up
1267
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
1268
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
1269
## It is also possible to create and manage the certificates outside of this helm chart
1270
## Please see README.md for more information
1271
## e.g:
1272
## secrets:
1273
## - name: server.local-tls
1274
## key: |-
1275
## -----BEGIN RSA PRIVATE KEY-----
1276
## ...
1277
## -----END RSA PRIVATE KEY-----
1278
## certificate: |-
1279
## -----BEGIN CERTIFICATE-----
1280
## ...
1281
## -----END CERTIFICATE-----
1282
##
1283
secrets: []
1284
## @param ingress.extraRules Additional rules to be covered with this ingress record
1285
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
1286
## e.g:
1287
## extraRules:
1288
## - host: server.local
1289
## http:
1290
## path: /
1291
## backend:
1292
## service:
1293
## name: server-svc
1294
## port:
1295
## name: http
1296
##
1297
extraRules: []
1298
## @section Workflows configuration
1299
##
1300
workflows:
1301
## Service account configuration for workflows
1302
## @param workflows.serviceAccount.create Whether to create a service account to run workflows
1303
## @param workflows.serviceAccount.name Service account name to run workflows
1304
## @param workflows.serviceAccount.automountServiceAccountToken Automount service account token for the workflows service account
1305
## @param workflows.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
1306
##
1307
serviceAccount:
1308
create: true
1309
name: ""
1310
automountServiceAccountToken: false
1311
annotations: {}
1312
## Create RBAC resources to run workflows.
1313
## A Role and Role Bindding are created per namespace in controller.workflowNamespaces
1314
## @param workflows.rbac.create Whether to create RBAC resource to run workflows
1315
##
1316
rbac:
1317
create: true
1318
## @section PostgreSQL subchart
1319
##
1320
1321
## Postgresql subchart configuration
1322
## @param postgresql.enabled Enable PostgreSQL subchart and controller persistence using PostgreSQL
1323
## @param postgresql.service.ports.postgresql PostgreSQL port
1324
## @param postgresql.auth.username PostgreSQL username
1325
## @param postgresql.auth.database PortgreSQL database name
1326
## @param postgresql.auth.password PortgreSQL database password
1327
##
1328
postgresql:
1329
enabled: true
1330
image:
1331
registry: cgr.dev
1332
repository: chainguard-private/postgres-iamguarded
1333
tag: 18.3-r2
1334
digest: ""
1335
service:
1336
ports:
1337
postgresql: 5432
1338
auth:
1339
username: postgres
1340
database: ig_argo_workflows
1341
password: ""
1342
primary:
1343
## PostgreSQL Primary resource requests and limits
1344
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1345
## @param postgresql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
1346
##
1347
resourcesPreset: "nano"
1348
## @param postgresql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1349
## Example:
1350
## resources:
1351
## requests:
1352
## cpu: 2
1353
## memory: 512Mi
1354
## limits:
1355
## cpu: 3
1356
## memory: 1024Mi
1357
##
1358
resources: {}
1359
## @section MySQL subchart
1360
##
1361
1362
## Mysql subchart configuration
1363
## @param mysql.enabled Enable MySQL subchart and controller persistence using MySQL
1364
## @param mysql.service.ports.mysql MySQL port
1365
## @param mysql.auth.username MySQL username
1366
## @param mysql.auth.database MySQL database name
1367
## @param mysql.auth.password MySQL database password
1368
##
1369
mysql:
1370
enabled: false
1371
image:
1372
registry: cgr.dev
1373
repository: chainguard-private/mysql-iamguarded
1374
tag: 8.4.8
1375
digest: ""
1376
service:
1377
ports:
1378
mysql: 3306
1379
auth:
1380
username: mysql
1381
database: ig_argo_workflows
1382
password: ""
1383
primary:
1384
## MySQL primary container's resource requests and limits
1385
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1386
## We usually recommend not to specify default resources and to leave this as a conscious
1387
## choice for the user. This also increases chances charts run on environments with little
1388
## resources, such as Minikube. If you do want to specify resources, uncomment the following
1389
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
1390
## @param mysql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
1391
##
1392
resourcesPreset: "small"
1393
## @param mysql.primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1394
## Example:
1395
## resources:
1396
## requests:
1397
## cpu: 2
1398
## memory: 512Mi
1399
## limits:
1400
## cpu: 3
1401
## memory: 1024Mi
1402
##
1403
resources: {}
1404
## @section External Database configuration
1405
##
1406
1407
## External Database Configuration
1408
## @param externalDatabase.enabled Enable using externaldatabase and the controller to use persistence with it
1409
## @param externalDatabase.host External Database server host
1410
## @param externalDatabase.port External Database server port
1411
## @param externalDatabase.username External Database username
1412
## @param externalDatabase.password External Database user password
1413
## @param externalDatabase.database External Database database name
1414
## @param externalDatabase.existingSecret The name of an existing secret with database credentials
1415
## @param externalDatabase.type Either postgresql or mysql
1416
##
1417
externalDatabase:
1418
enabled: false
1419
## Either "postgresql" or "mysql"
1420
##
1421
type: ""
1422
host: localhost
1423
port: 3306
1424
username: ig_workflows
1425
password: ""
1426
database: iamguarded_workflows
1427
## NOTE: Must contain key `database-password`
1428
## NOTE: When it's set, the `externalDatabase.password` parameter is ignored
1429
##
1430
existingSecret: ""
1431