From 0c044d43f4d661e7417ad4f25d7f2c5565703ab3 Mon Sep 17 00:00:00 2001 From: Jayendra Parsai Date: Mon, 15 Jun 2026 11:49:53 +0530 Subject: [PATCH 1/3] build: update argocd-agent chart Signed-off-by: Jayendra Parsai --- helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml index b6ec58d6d..906eae200 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml @@ -30,11 +30,7 @@ serviceAccount: annotations: {} automountServiceAccountToken: true podSecurityContext: - fsGroup: 999 - fsGroupChangePolicy: OnRootMismatch - runAsGroup: 999 runAsNonRoot: true - runAsUser: 999 seccompProfile: type: RuntimeDefault securityContext: @@ -44,9 +40,7 @@ securityContext: - ALL privileged: false readOnlyRootFilesystem: true - runAsGroup: 999 runAsNonRoot: true - runAsUser: 999 seccompProfile: type: RuntimeDefault rbac: From 3fcab2896741f953e246213eeab43e8fcd6e790d Mon Sep 17 00:00:00 2001 From: Jayendra Parsai Date: Mon, 15 Jun 2026 12:16:18 +0530 Subject: [PATCH 2/3] build: update argocd-agent chart Signed-off-by: Jayendra Parsai --- hack/generate-agent-helm-chart.py | 13 + .../redhat-argocd-agent/0.9.0/src/README.md | 25 +- .../0.9.0/src/templates/_helpers.tpl | 16 +- .../src/templates/agent-clusterrole.yaml | 2 - .../templates/agent-clusterrolebinding.yaml | 2 - .../0.9.0/src/templates/agent-deployment.yaml | 63 ++-- .../0.9.0/src/templates/agent-params-cm.yaml | 14 +- .../0.9.0/src/templates/agent-role.yaml | 4 +- .../src/templates/agent-rolebinding.yaml | 2 - .../0.9.0/src/values.schema.json | 282 +----------------- .../redhat-argocd-agent/0.9.0/src/values.yaml | 50 +--- 11 files changed, 64 insertions(+), 409 deletions(-) diff --git a/hack/generate-agent-helm-chart.py b/hack/generate-agent-helm-chart.py index dc88789a7..31df4679f 100644 --- a/hack/generate-agent-helm-chart.py +++ b/hack/generate-agent-helm-chart.py @@ -91,6 +91,19 @@ def update_copied_chart_files(version: str, image_repository: str, image_tag: st image["tag"] = image_tag values["image"] = image + values["podSecurityContext"] = { + "runAsNonRoot": True, + "seccompProfile": {"type": "RuntimeDefault"}, + } + values["securityContext"] = { + "allowPrivilegeEscalation": False, + "capabilities": {"drop": ["ALL"]}, + "privileged": False, + "readOnlyRootFilesystem": True, + "runAsNonRoot": True, + "seccompProfile": {"type": "RuntimeDefault"}, + } + with values_path.open("w", encoding="utf-8") as file: yaml.safe_dump(values, file, sort_keys=False) diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/README.md b/helm-charts/redhat-argocd-agent/0.9.0/src/README.md index e9cbb9296..3dbe8a63d 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/README.md +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/README.md @@ -1,6 +1,6 @@ # argocd-agent-agent -![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.8.1](https://img.shields.io/badge/AppVersion-v0.8.1-informational?style=flat-square) +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.1](https://img.shields.io/badge/AppVersion-0.4.1-informational?style=flat-square) Argo CD Agent for connecting managed clusters to a Principal @@ -33,30 +33,22 @@ Kubernetes: `>=1.24.0-0` | cacheRefreshInterval | string | `"10s"` | Cache refresh interval. | | createNamespace | bool | `false` | Whether to create target namespaces automatically when they don't exist. Used with destination-based mapping. | | destinationBasedMapping | bool | `false` | Whether to enable destination-based mapping. When enabled, the agent creates applications in their original namespace (preserving the namespace from the principal) instead of the agent's own namespace. | -| dnsConfig | object | `{}` | DNS config for the Pod. Only honored when `dnsPolicy` is "None". | -| dnsPolicy | string | `""` | DNS policy for the Pod (e.g. ClusterFirst, None). Empty leaves the default. | | enableCompression | bool | `false` | Whether to enable gRPC compression. | | enableResourceProxy | bool | `true` | Whether to enable resource proxy. | | enableWebSocket | bool | `false` | Whether to enable WebSocket connections. | -| fullnameOverride | string | `""` | Override the fully-qualified resource name (defaults to `-agent-helm`). | | healthzPort | string | `"8002"` | Healthz server port exposed by the agent. | -| hostAliases | list | `[]` | Host aliases injected into /etc/hosts of the agent Pod. | -| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the agent container. | +| image.pullPolicy | string | `"Always"` | Image pull policy for the agent container. | | image.repository | string | `"ghcr.io/argoproj-labs/argocd-agent/argocd-agent"` | Container image repository for the agent. | -| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | -| imagePullSecrets | list | `[]` | Image pull secrets for private registries. | -| informerSyncTimeout | string | `"10s"` | Timeout for the initial informer sync at agent startup. Increase on large clusters or when the API server is under heavy load. | +| image.tag | string | `"latest"` | Container image tag for the agent. | | keepAliveInterval | string | `"50s"` | Keep-alive interval for connections. | | labelSelector | string | `""` | Kubernetes label selector to restrict which resources the agent watches. Only matching resources will be listed, watched, and processed. | | logFormat | string | `"text"` | Log format for the agent (text or json). | | logLevel | string | `"info"` | Log level for the agent. | | metricsPort | string | `"8181"` | Metrics server port exposed by the agent. | -| nameOverride | string | `""` | Override the chart name used in `app.kubernetes.io/name` Also changes `spec.selector.matchLabels`, which is immutable — do not set after initial install unless you are prepared to delete+reinstall. | | namespaceOverride | string | `""` | Override namespace to deploy the agent into. Leave empty to use the release namespace. | | nodeSelector | object | `{}` | Node selector for scheduling the agent Pod. | | podAnnotations | object | `{}` | Additional annotations to add to the agent Pod. | | podLabels | object | `{}` | Additional labels to add to the agent Pod. | -| podSecurityContext | object | `{"fsGroup":999,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":999,"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod-level securityContext. Applied to the Pod spec. | | pprofPort | string | `"0"` | Port for pprof server (0 disables pprof). | | priorityClassName | string | `""` | PriorityClassName for the agent Pod. | | probes | object | `{"liveness":{"enabled":true,"failureThreshold":3,"httpGet":{"path":"/healthz","port":"healthz"},"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":2},"readiness":{"enabled":true,"failureThreshold":3,"httpGet":{"path":"/healthz","port":"healthz"},"initialDelaySeconds":5,"periodSeconds":10,"timeoutSeconds":2}}` | Liveness and readiness probe configuration. | @@ -70,9 +62,6 @@ Kubernetes: `>=1.24.0-0` | probes.readiness.initialDelaySeconds | int | `5` | Initial delay before the first readiness probe. | | probes.readiness.periodSeconds | int | `10` | Frequency of readiness probes. | | probes.readiness.timeoutSeconds | int | `2` | Timeout for readiness probe. | -| progressDeadlineSeconds | int | `600` | Time allowed for the Deployment to make progress before the controller reports failure. | -| rbac.create | bool | `true` | Create namespace-scoped Role and RoleBinding for the agent. | -| rbac.createClusterRole | bool | `true` | Create cluster-scoped ClusterRole and ClusterRoleBinding. Required for destination-based mapping, create-namespace, and resource-proxy discovery across multiple namespaces. Leave `false` to keep the agent strictly namespace-scoped. | | redisAddress | string | `"argocd-redis:6379"` | Redis address used by the agent. | | redisTLS | object | `{"caPath":"/app/config/redis-tls/ca.crt","enabled":false,"insecure":false,"secretName":"argocd-redis-tls"}` | Redis TLS configuration. | | redisTLS.caPath | string | `"/app/config/redis-tls/ca.crt"` | Path to CA certificate for verifying Redis TLS certificate. This path is where the CA certificate will be mounted inside the container. | @@ -82,8 +71,6 @@ Kubernetes: `>=1.24.0-0` | redisUsername | string | `""` | Redis username for authentication. | | replicaCount | int | `1` | Number of replicas for the agent Deployment. | | resources | object | `{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Resource requests and limits for the agent Pod. | -| revisionHistoryLimit | int | `10` | Number of old ReplicaSets to retain for rollback. | -| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"RuntimeDefault"}}` | Container-level securityContext. Applied to the agent container. | | server | string | `"principal.server.address.com"` | Principal server address (hostname or host:port). | | serverPort | string | `"443"` | Principal server port. | | service | object | `{"healthz":{"annotations":{},"port":8002,"targetPort":8002},"metrics":{"annotations":{},"port":8181,"targetPort":8181}}` | Service configuration for metrics and healthz endpoints. | @@ -110,7 +97,6 @@ Kubernetes: `>=1.24.0-0` | serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme | | serviceMonitor.scrapeTimeout | string | `"10s"` | Prometheus scrape timeout. Must be a valid duration string (e.g. "10s"). | | serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | -| terminationGracePeriodSeconds | int | `30` | Grace period for Pod termination (seconds). | | tests | object | `{"enabled":false,"image":"bitnamilegacy/kubectl","tag":"1.33.4"}` | Configuration for helm-chart tests. | | tests.enabled | bool | `false` | By default, chart tests are disabled. | | tests.image | string | `"bitnamilegacy/kubectl"` | Test image. | @@ -119,16 +105,13 @@ Kubernetes: `>=1.24.0-0` | tlsClientCertPath | string | `""` | Path to the TLS client certificate. | | tlsClientInSecure | string | `"false"` | Whether to skip TLS verification for client connections. | | tlsClientKeyPath | string | `""` | Path to the TLS client key. | -| tlsInsecurePlaintext | string | `"false"` | Whether to connect to the principal without TLS | | tlsMaxVersion | string | `""` | Maximum TLS version to use (tls1.1, tls1.2, tls1.3). Empty uses highest available. | | tlsMinVersion | string | `""` | Minimum TLS version to use (tls1.1, tls1.2, tls1.3). Empty uses Go default. | | tlsRootCAPath | string | `""` | Path to the TLS root CA certificate. | | tlsRootCASecretName | string | `"argocd-agent-ca"` | Name of the Secret containing root CA certificate. | | tlsSecretName | string | `"argocd-agent-client-tls"` | Name of the TLS Secret containing client cert/key for mTLS. | | tolerations | list | `[]` | Tolerations for the agent Pod. | -| topologySpreadConstraints | list | `[]` | Topology spread constraints for the agent Pod. | -| updateStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"}` | Deployment update strategy (passed through as `spec.strategy`). | | userPasswordSecretName | string | `"argocd-agent-agent-userpass"` | Name of the Secret containing agent username/password (if used). | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/_helpers.tpl b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/_helpers.tpl index f9164221a..6da09f085 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/_helpers.tpl +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/_helpers.tpl @@ -94,15 +94,6 @@ Name for resources used exclusively by Helm tests. {{- printf "%s-test" (include "argocd-agent-agent.agentBaseName" .) | trunc 63 | trimSuffix "-" }} {{- end }} -{{/* -Create default image tag. Uses appVersion as the default, which can be -overridden by setting image.tag in values.yaml. This follows the same -pattern as the official argo-cd Helm chart (argo-cd.defaultTag). -*/}} -{{- define "argocd-agent-agent.defaultTag" -}} -{{- default .Chart.AppVersion .Values.image.tag }} -{{- end -}} - {{/* Create chart name and version as used by the chart label. */}} @@ -123,13 +114,10 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{/* -Selector labels. -NOTE: `spec.selector.matchLabels` is immutable on Deployments. Changing any -value emitted here after the initial install (e.g. by setting -`.Values.nameOverride`) requires deleting and reinstalling the release. +Selector labels */}} {{- define "argocd-agent-agent.selectorLabels" -}} -app.kubernetes.io/name: {{ include "argocd-agent-agent.name" . }} +app.kubernetes.io/name: argocd-agent-agent app.kubernetes.io/part-of: argocd-agent app.kubernetes.io/component: agent app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrole.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrole.yaml index ac76c0532..7736796d5 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrole.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrole.yaml @@ -1,4 +1,3 @@ -{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -27,4 +26,3 @@ rules: - update - delete - patch -{{- end }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrolebinding.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrolebinding.yaml index dd1f21e0a..ea01f5d02 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrolebinding.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrolebinding.yaml @@ -1,4 +1,3 @@ -{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -13,4 +12,3 @@ subjects: - kind: ServiceAccount name: {{ include "argocd-agent-agent.serviceAccountName" . }} namespace: {{ include "argocd-agent-agent.namespace" . }} -{{- end }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-deployment.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-deployment.yaml index 715fda3ad..140b5a8af 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-deployment.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-deployment.yaml @@ -7,12 +7,6 @@ metadata: {{- include "argocd-agent-agent.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} - revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} - progressDeadlineSeconds: {{ .Values.progressDeadlineSeconds }} - {{- with .Values.updateStrategy }} - strategy: - {{- toYaml . | nindent 4 }} - {{- end }} selector: matchLabels: {{- include "argocd-agent-agent.selectorLabels" . | nindent 6 }} @@ -25,34 +19,22 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} serviceAccountName: {{ include "argocd-agent-agent.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- with .Values.priorityClassName }} priorityClassName: {{ . }} {{- end }} - {{- with .Values.podSecurityContext }} securityContext: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.hostAliases }} - hostAliases: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.dnsPolicy }} - dnsPolicy: {{ . }} - {{- end }} - {{- with .Values.dnsConfig }} - dnsConfig: - {{- toYaml . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + fsGroup: 999 + fsGroupChangePolicy: "OnRootMismatch" + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault containers: - name: argocd-agent-agent - image: "{{ .Values.image.repository }}:{{ include "argocd-agent-agent.defaultTag" . }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - agent @@ -201,7 +183,7 @@ spec: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} key: agent.redis.tls.insecure optional: true - - name: ARGOCD_AGENT_LOG_FORMAT + - name: ARGOCD_PRINCIPAL_LOG_FORMAT valueFrom: configMapKeyRef: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} @@ -237,12 +219,6 @@ spec: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} key: agent.cache.refresh-interval optional: true - - name: ARGOCD_AGENT_INFORMER_SYNC_TIMEOUT - valueFrom: - configMapKeyRef: - name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} - key: agent.informer-sync-timeout - optional: true - name: ARGOCD_AGENT_DESTINATION_BASED_MAPPING valueFrom: configMapKeyRef: @@ -267,6 +243,9 @@ spec: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} key: agent.label-selector optional: true + name: argocd-agent-agent + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: metrics containerPort: {{ .Values.metricsPort }} @@ -294,10 +273,18 @@ spec: timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} failureThreshold: {{ .Values.probes.readiness.failureThreshold }} {{- end }} - {{- with .Values.securityContext }} securityContext: - {{- toYaml . | nindent 12 }} - {{- end }} + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: @@ -323,8 +310,4 @@ spec: {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.topologySpreadConstraints }} - topologySpreadConstraints: - {{- toYaml . | nindent 8 }} {{- end }} \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-params-cm.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-params-cm.yaml index 1dd2dea62..4a668f921 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-params-cm.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-params-cm.yaml @@ -100,9 +100,6 @@ data: # agent.cache.refresh-interval: Cache refresh interval. # Default: "10s" agent.cache.refresh-interval: {{ .Values.cacheRefreshInterval | quote }} - # agent.informer-sync-timeout: Timeout for the initial informer sync at startup. - # Default: "10s" - agent.informer-sync-timeout: {{ .Values.informerSyncTimeout | quote }} # agent.destination-based-mapping: Whether to enable destination-based mapping. # When enabled, the agent creates applications in their original namespace # (preserving the namespace from the principal) instead of the agent's own namespace. @@ -114,21 +111,16 @@ data: # agent.allowed-namespaces: Additional namespaces the agent can manage. # Default: "" agent.allowed-namespaces: {{ .Values.allowedNamespaces | quote }} - # agent.tls.insecure-plaintext: Connect to the principal without TLS. Only use - # when running behind a service mesh (e.g., Istio) that handles mTLS at - # the sidecar level. - # Default: false - agent.tls.insecure-plaintext: {{ .Values.tlsInsecurePlaintext | quote }} # agent.label-selector: Kubernetes label selector to restrict which # resources the agent watches. # Default: "" agent.label-selector: {{ .Values.labelSelector | quote }} # agent.redis.tls.enabled: Whether to enable TLS for Redis connections. - # Default: false - agent.redis.tls.enabled: {{ .Values.redisTLS.enabled | quote }} + # Default: true + agent.redis.tls.enabled: {{ .Values.redisTLS.enabled }} # agent.redis.tls.ca-path: Path to CA certificate for verifying Redis TLS certificate. # Default: "" agent.redis.tls.ca-path: {{ .Values.redisTLS.caPath | quote }} # agent.redis.tls.insecure: INSECURE: Do not verify Redis TLS certificate. # Default: false - agent.redis.tls.insecure: {{ .Values.redisTLS.insecure | quote }} + agent.redis.tls.insecure: {{ .Values.redisTLS.insecure }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-role.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-role.yaml index 34a89b35f..142ec3252 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-role.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-role.yaml @@ -1,4 +1,3 @@ -{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -40,5 +39,4 @@ rules: - events verbs: - create - - list -{{- end }} + - list \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-rolebinding.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-rolebinding.yaml index af84bb0ef..e7a9e782c 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-rolebinding.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-rolebinding.yaml @@ -1,4 +1,3 @@ -{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -14,4 +13,3 @@ subjects: - kind: ServiceAccount name: {{ include "argocd-agent-agent.serviceAccountName" . }} namespace: {{ include "argocd-agent-agent.namespace" . }} -{{- end }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/values.schema.json b/helm-charts/redhat-argocd-agent/0.9.0/src/values.schema.json index 0b23452ad..b882c607c 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/values.schema.json +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/values.schema.json @@ -51,12 +51,6 @@ "title": "cacheRefreshInterval", "type": "string" }, - "informerSyncTimeout": { - "default": "10s", - "description": "Timeout for the initial informer sync at agent startup. Increase on large clusters or when the API server is under heavy load.", - "title": "informerSyncTimeout", - "type": "string" - }, "createNamespace": { "default": false, "description": "Whether to create target namespaces automatically when they don't exist.\nUsed with destination-based mapping.", @@ -69,19 +63,6 @@ "title": "destinationBasedMapping", "type": "boolean" }, - "dnsConfig": { - "additionalProperties": true, - "description": "DNS config for the Pod. Only honored when `dnsPolicy` is \"None\".", - "required": [], - "title": "dnsConfig", - "type": "object" - }, - "dnsPolicy": { - "default": "", - "description": "DNS policy for the Pod (e.g. ClusterFirst, None). Empty leaves the default.", - "title": "dnsPolicy", - "type": "string" - }, "enableCompression": { "default": false, "description": "Whether to enable gRPC compression.", @@ -100,12 +81,6 @@ "title": "enableWebSocket", "type": "boolean" }, - "fullnameOverride": { - "default": "", - "description": "Override the fully-qualified resource name (defaults to `\u003crelease\u003e-agent-helm`).", - "title": "fullnameOverride", - "type": "string" - }, "global": { "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", "required": [], @@ -118,20 +93,12 @@ "title": "healthzPort", "type": "string" }, - "hostAliases": { - "description": "Host aliases injected into /etc/hosts of the agent Pod.", - "items": { - "required": [] - }, - "title": "hostAliases", - "type": "array" - }, "image": { "additionalProperties": false, "description": "#", "properties": { "pullPolicy": { - "default": "IfNotPresent", + "default": "Always", "description": "Image pull policy for the agent container.", "title": "pullPolicy", "type": "string" @@ -143,8 +110,8 @@ "type": "string" }, "tag": { - "default": "", - "description": "Overrides the image tag whose default is the chart appVersion.", + "default": "latest", + "description": "Container image tag for the agent.", "title": "tag", "type": "string" } @@ -157,14 +124,6 @@ "title": "image", "type": "object" }, - "imagePullSecrets": { - "description": "Image pull secrets for private registries.", - "items": { - "required": [] - }, - "title": "imagePullSecrets", - "type": "array" - }, "keepAliveInterval": { "default": "50s", "description": "Keep-alive interval for connections.", @@ -189,12 +148,6 @@ "title": "metricsPort", "type": "string" }, - "nameOverride": { - "default": "", - "description": "Override the chart name used in `app.kubernetes.io/name`\nAlso changes `spec.selector.matchLabels`, which is immutable — do not set after initial\ninstall unless you are prepared to delete+reinstall.", - "title": "nameOverride", - "type": "string" - }, "namespaceOverride": { "default": "", "description": "#\nOverride namespace to deploy the agent into. Leave empty to use the release namespace.", @@ -222,55 +175,6 @@ "title": "podLabels", "type": "object" }, - "podSecurityContext": { - "additionalProperties": true, - "description": "#\nPod-level securityContext. Applied to the Pod spec.", - "properties": { - "fsGroup": { - "default": 999, - "title": "fsGroup", - "type": "integer" - }, - "fsGroupChangePolicy": { - "default": "OnRootMismatch", - "title": "fsGroupChangePolicy", - "type": "string" - }, - "runAsGroup": { - "default": 999, - "title": "runAsGroup", - "type": "integer" - }, - "runAsNonRoot": { - "default": true, - "title": "runAsNonRoot", - "type": "boolean" - }, - "runAsUser": { - "default": 999, - "title": "runAsUser", - "type": "integer" - }, - "seccompProfile": { - "additionalProperties": true, - "properties": { - "type": { - "default": "RuntimeDefault", - "title": "type", - "type": "string" - } - }, - "required": [ - "type" - ], - "title": "seccompProfile", - "type": "object" - } - }, - "required": [], - "title": "podSecurityContext", - "type": "object" - }, "pprofPort": { "default": "0", "description": "Port for pprof server (0 disables pprof).", @@ -427,36 +331,6 @@ "title": "probes", "type": "object" }, - "progressDeadlineSeconds": { - "default": 600, - "description": "Time allowed for the Deployment to make progress before the controller reports failure.", - "title": "progressDeadlineSeconds", - "type": "integer" - }, - "rbac": { - "additionalProperties": false, - "description": "#", - "properties": { - "create": { - "default": true, - "description": "Create namespace-scoped Role and RoleBinding for the agent.", - "title": "create", - "type": "boolean" - }, - "createClusterRole": { - "default": true, - "description": "Create cluster-scoped ClusterRole and ClusterRoleBinding. Required for\ndestination-based mapping, create-namespace, and resource-proxy discovery\nacross multiple namespaces. Leave `false` to keep the agent strictly\nnamespace-scoped.", - "title": "createClusterRole", - "type": "boolean" - } - }, - "required": [ - "create", - "createClusterRole" - ], - "title": "rbac", - "type": "object" - }, "redisAddress": { "default": "argocd-redis:6379", "description": "Redis address used by the agent.", @@ -559,88 +433,6 @@ "title": "resources", "type": "object" }, - "revisionHistoryLimit": { - "default": 10, - "description": "Number of old ReplicaSets to retain for rollback.", - "title": "revisionHistoryLimit", - "type": "integer" - }, - "securityContext": { - "additionalProperties": true, - "description": "#\nContainer-level securityContext. Applied to the agent container.", - "properties": { - "allowPrivilegeEscalation": { - "default": false, - "title": "allowPrivilegeEscalation", - "type": "boolean" - }, - "capabilities": { - "additionalProperties": false, - "properties": { - "drop": { - "items": { - "anyOf": [ - { - "type": "string" - } - ], - "required": [] - }, - "title": "drop", - "type": "array" - } - }, - "required": [ - "drop" - ], - "title": "capabilities", - "type": "object" - }, - "privileged": { - "default": false, - "title": "privileged", - "type": "boolean" - }, - "readOnlyRootFilesystem": { - "default": true, - "title": "readOnlyRootFilesystem", - "type": "boolean" - }, - "runAsGroup": { - "default": 999, - "title": "runAsGroup", - "type": "integer" - }, - "runAsNonRoot": { - "default": true, - "title": "runAsNonRoot", - "type": "boolean" - }, - "runAsUser": { - "default": 999, - "title": "runAsUser", - "type": "integer" - }, - "seccompProfile": { - "additionalProperties": true, - "properties": { - "type": { - "default": "RuntimeDefault", - "title": "type", - "type": "string" - } - }, - "required": [ - "type" - ], - "title": "seccompProfile", - "type": "object" - } - }, - "required": [], - "title": "securityContext", - "type": "object" - }, "server": { "default": "principal.server.address.com", "description": "Principal server address (hostname or host:port).", @@ -860,12 +652,6 @@ "title": "serviceMonitor", "type": "object" }, - "terminationGracePeriodSeconds": { - "default": 30, - "description": "Grace period for Pod termination (seconds).", - "title": "terminationGracePeriodSeconds", - "type": "integer" - }, "tests": { "additionalProperties": false, "description": "#\nConfiguration for helm-chart tests.", @@ -921,12 +707,6 @@ "title": "tlsClientKeyPath", "type": "string" }, - "tlsInsecurePlaintext": { - "default": "false", - "description": "Whether to connect to the principal without TLS", - "title": "tlsInsecurePlaintext", - "type": "string" - }, "tlsMaxVersion": { "default": "", "description": "Maximum TLS version to use (tls1.1, tls1.2, tls1.3). Empty uses highest available.", @@ -965,51 +745,6 @@ "title": "tolerations", "type": "array" }, - "topologySpreadConstraints": { - "description": "Topology spread constraints for the agent Pod.", - "items": { - "required": [] - }, - "title": "topologySpreadConstraints", - "type": "array" - }, - "updateStrategy": { - "additionalProperties": true, - "description": "Deployment update strategy (passed through as `spec.strategy`).", - "properties": { - "rollingUpdate": { - "additionalProperties": true, - "properties": { - "maxSurge": { - "default": "25%", - "title": "maxSurge", - "type": "string" - }, - "maxUnavailable": { - "default": "25%", - "title": "maxUnavailable", - "type": "string" - } - }, - "required": [ - "maxSurge", - "maxUnavailable" - ], - "title": "rollingUpdate", - "type": "object" - }, - "type": { - "default": "RollingUpdate", - "title": "type", - "type": "string" - } - }, - "required": [ - "type" - ], - "title": "updateStrategy", - "type": "object" - }, "userPasswordSecretName": { "default": "argocd-agent-agent-userpass", "description": "Name of the Secret containing agent username/password (if used).", @@ -1021,24 +756,17 @@ "namespaceOverride", "image", "replicaCount", - "updateStrategy", - "revisionHistoryLimit", - "progressDeadlineSeconds", "tlsSecretName", "tlsRootCASecretName", "userPasswordSecretName", "resources", "serviceAccount", - "podSecurityContext", - "securityContext", - "rbac", "nodeSelector", "affinity", "tolerations", "podAnnotations", "podLabels", "priorityClassName", - "terminationGracePeriodSeconds", "probes", "agentMode", "auth", @@ -1058,7 +786,6 @@ "pprofPort", "enableResourceProxy", "cacheRefreshInterval", - "informerSyncTimeout", "keepAliveInterval", "tlsClientKeyPath", "tlsClientCertPath", @@ -1067,11 +794,8 @@ "tlsMaxVersion", "tlsCipherSuites", "allowedNamespaces", - "tlsInsecurePlaintext", "destinationBasedMapping", "createNamespace", - "labelSelector", - "redisTLS", "service", "serviceMonitor", "tests" diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml index 906eae200..eea5473ed 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml @@ -1,19 +1,9 @@ namespaceOverride: '' -nameOverride: '' -fullnameOverride: '' image: repository: registry.redhat.io/openshift-gitops-1/argocd-agent-rhel9 tag: v1.21.0 - pullPolicy: IfNotPresent + pullPolicy: Always replicaCount: 1 -imagePullSecrets: [] -updateStrategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 25% - maxUnavailable: 25% -revisionHistoryLimit: 10 -progressDeadlineSeconds: 600 tlsSecretName: argocd-agent-client-tls tlsRootCASecretName: argocd-agent-ca userPasswordSecretName: argocd-agent-agent-userpass @@ -29,34 +19,12 @@ serviceAccount: name: '' annotations: {} automountServiceAccountToken: true -podSecurityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault -rbac: - create: true - createClusterRole: true nodeSelector: {} affinity: {} tolerations: [] -topologySpreadConstraints: [] podAnnotations: {} podLabels: {} priorityClassName: '' -terminationGracePeriodSeconds: 30 -hostAliases: [] -dnsPolicy: '' -dnsConfig: {} probes: liveness: enabled: true @@ -94,7 +62,6 @@ enableCompression: false pprofPort: '0' enableResourceProxy: true cacheRefreshInterval: 10s -informerSyncTimeout: 10s keepAliveInterval: 50s tlsClientKeyPath: '' tlsClientCertPath: '' @@ -103,7 +70,6 @@ tlsMinVersion: '' tlsMaxVersion: '' tlsCipherSuites: '' allowedNamespaces: '' -tlsInsecurePlaintext: 'false' destinationBasedMapping: false createNamespace: false labelSelector: '' @@ -137,3 +103,17 @@ tests: enabled: false image: bitnamilegacy/kubectl tag: 1.33.4 +podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault From 997235bd6d475c4ac4e2bb642582fcd12b95787a Mon Sep 17 00:00:00 2001 From: Siddhesh Ghadi Date: Mon, 15 Jun 2026 12:35:11 +0530 Subject: [PATCH 3/3] Regenerate chart Signed-off-by: Siddhesh Ghadi --- .../redhat-argocd-agent/0.9.0/src/README.md | 25 +- .../0.9.0/src/templates/_helpers.tpl | 16 +- .../src/templates/agent-clusterrole.yaml | 2 + .../templates/agent-clusterrolebinding.yaml | 2 + .../0.9.0/src/templates/agent-deployment.yaml | 63 ++-- .../0.9.0/src/templates/agent-params-cm.yaml | 14 +- .../0.9.0/src/templates/agent-role.yaml | 4 +- .../src/templates/agent-rolebinding.yaml | 2 + .../0.9.0/src/values.schema.json | 282 +++++++++++++++++- .../redhat-argocd-agent/0.9.0/src/values.yaml | 50 +++- 10 files changed, 409 insertions(+), 51 deletions(-) diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/README.md b/helm-charts/redhat-argocd-agent/0.9.0/src/README.md index 3dbe8a63d..e9cbb9296 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/README.md +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/README.md @@ -1,6 +1,6 @@ # argocd-agent-agent -![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.4.1](https://img.shields.io/badge/AppVersion-0.4.1-informational?style=flat-square) +![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.8.1](https://img.shields.io/badge/AppVersion-v0.8.1-informational?style=flat-square) Argo CD Agent for connecting managed clusters to a Principal @@ -33,22 +33,30 @@ Kubernetes: `>=1.24.0-0` | cacheRefreshInterval | string | `"10s"` | Cache refresh interval. | | createNamespace | bool | `false` | Whether to create target namespaces automatically when they don't exist. Used with destination-based mapping. | | destinationBasedMapping | bool | `false` | Whether to enable destination-based mapping. When enabled, the agent creates applications in their original namespace (preserving the namespace from the principal) instead of the agent's own namespace. | +| dnsConfig | object | `{}` | DNS config for the Pod. Only honored when `dnsPolicy` is "None". | +| dnsPolicy | string | `""` | DNS policy for the Pod (e.g. ClusterFirst, None). Empty leaves the default. | | enableCompression | bool | `false` | Whether to enable gRPC compression. | | enableResourceProxy | bool | `true` | Whether to enable resource proxy. | | enableWebSocket | bool | `false` | Whether to enable WebSocket connections. | +| fullnameOverride | string | `""` | Override the fully-qualified resource name (defaults to `-agent-helm`). | | healthzPort | string | `"8002"` | Healthz server port exposed by the agent. | -| image.pullPolicy | string | `"Always"` | Image pull policy for the agent container. | +| hostAliases | list | `[]` | Host aliases injected into /etc/hosts of the agent Pod. | +| image.pullPolicy | string | `"IfNotPresent"` | Image pull policy for the agent container. | | image.repository | string | `"ghcr.io/argoproj-labs/argocd-agent/argocd-agent"` | Container image repository for the agent. | -| image.tag | string | `"latest"` | Container image tag for the agent. | +| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | +| imagePullSecrets | list | `[]` | Image pull secrets for private registries. | +| informerSyncTimeout | string | `"10s"` | Timeout for the initial informer sync at agent startup. Increase on large clusters or when the API server is under heavy load. | | keepAliveInterval | string | `"50s"` | Keep-alive interval for connections. | | labelSelector | string | `""` | Kubernetes label selector to restrict which resources the agent watches. Only matching resources will be listed, watched, and processed. | | logFormat | string | `"text"` | Log format for the agent (text or json). | | logLevel | string | `"info"` | Log level for the agent. | | metricsPort | string | `"8181"` | Metrics server port exposed by the agent. | +| nameOverride | string | `""` | Override the chart name used in `app.kubernetes.io/name` Also changes `spec.selector.matchLabels`, which is immutable — do not set after initial install unless you are prepared to delete+reinstall. | | namespaceOverride | string | `""` | Override namespace to deploy the agent into. Leave empty to use the release namespace. | | nodeSelector | object | `{}` | Node selector for scheduling the agent Pod. | | podAnnotations | object | `{}` | Additional annotations to add to the agent Pod. | | podLabels | object | `{}` | Additional labels to add to the agent Pod. | +| podSecurityContext | object | `{"fsGroup":999,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":999,"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"RuntimeDefault"}}` | Pod-level securityContext. Applied to the Pod spec. | | pprofPort | string | `"0"` | Port for pprof server (0 disables pprof). | | priorityClassName | string | `""` | PriorityClassName for the agent Pod. | | probes | object | `{"liveness":{"enabled":true,"failureThreshold":3,"httpGet":{"path":"/healthz","port":"healthz"},"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":2},"readiness":{"enabled":true,"failureThreshold":3,"httpGet":{"path":"/healthz","port":"healthz"},"initialDelaySeconds":5,"periodSeconds":10,"timeoutSeconds":2}}` | Liveness and readiness probe configuration. | @@ -62,6 +70,9 @@ Kubernetes: `>=1.24.0-0` | probes.readiness.initialDelaySeconds | int | `5` | Initial delay before the first readiness probe. | | probes.readiness.periodSeconds | int | `10` | Frequency of readiness probes. | | probes.readiness.timeoutSeconds | int | `2` | Timeout for readiness probe. | +| progressDeadlineSeconds | int | `600` | Time allowed for the Deployment to make progress before the controller reports failure. | +| rbac.create | bool | `true` | Create namespace-scoped Role and RoleBinding for the agent. | +| rbac.createClusterRole | bool | `true` | Create cluster-scoped ClusterRole and ClusterRoleBinding. Required for destination-based mapping, create-namespace, and resource-proxy discovery across multiple namespaces. Leave `false` to keep the agent strictly namespace-scoped. | | redisAddress | string | `"argocd-redis:6379"` | Redis address used by the agent. | | redisTLS | object | `{"caPath":"/app/config/redis-tls/ca.crt","enabled":false,"insecure":false,"secretName":"argocd-redis-tls"}` | Redis TLS configuration. | | redisTLS.caPath | string | `"/app/config/redis-tls/ca.crt"` | Path to CA certificate for verifying Redis TLS certificate. This path is where the CA certificate will be mounted inside the container. | @@ -71,6 +82,8 @@ Kubernetes: `>=1.24.0-0` | redisUsername | string | `""` | Redis username for authentication. | | replicaCount | int | `1` | Number of replicas for the agent Deployment. | | resources | object | `{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Resource requests and limits for the agent Pod. | +| revisionHistoryLimit | int | `10` | Number of old ReplicaSets to retain for rollback. | +| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":999,"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"RuntimeDefault"}}` | Container-level securityContext. Applied to the agent container. | | server | string | `"principal.server.address.com"` | Principal server address (hostname or host:port). | | serverPort | string | `"443"` | Principal server port. | | service | object | `{"healthz":{"annotations":{},"port":8002,"targetPort":8002},"metrics":{"annotations":{},"port":8181,"targetPort":8181}}` | Service configuration for metrics and healthz endpoints. | @@ -97,6 +110,7 @@ Kubernetes: `>=1.24.0-0` | serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme | | serviceMonitor.scrapeTimeout | string | `"10s"` | Prometheus scrape timeout. Must be a valid duration string (e.g. "10s"). | | serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | +| terminationGracePeriodSeconds | int | `30` | Grace period for Pod termination (seconds). | | tests | object | `{"enabled":false,"image":"bitnamilegacy/kubectl","tag":"1.33.4"}` | Configuration for helm-chart tests. | | tests.enabled | bool | `false` | By default, chart tests are disabled. | | tests.image | string | `"bitnamilegacy/kubectl"` | Test image. | @@ -105,13 +119,16 @@ Kubernetes: `>=1.24.0-0` | tlsClientCertPath | string | `""` | Path to the TLS client certificate. | | tlsClientInSecure | string | `"false"` | Whether to skip TLS verification for client connections. | | tlsClientKeyPath | string | `""` | Path to the TLS client key. | +| tlsInsecurePlaintext | string | `"false"` | Whether to connect to the principal without TLS | | tlsMaxVersion | string | `""` | Maximum TLS version to use (tls1.1, tls1.2, tls1.3). Empty uses highest available. | | tlsMinVersion | string | `""` | Minimum TLS version to use (tls1.1, tls1.2, tls1.3). Empty uses Go default. | | tlsRootCAPath | string | `""` | Path to the TLS root CA certificate. | | tlsRootCASecretName | string | `"argocd-agent-ca"` | Name of the Secret containing root CA certificate. | | tlsSecretName | string | `"argocd-agent-client-tls"` | Name of the TLS Secret containing client cert/key for mTLS. | | tolerations | list | `[]` | Tolerations for the agent Pod. | +| topologySpreadConstraints | list | `[]` | Topology spread constraints for the agent Pod. | +| updateStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"}` | Deployment update strategy (passed through as `spec.strategy`). | | userPasswordSecretName | string | `"argocd-agent-agent-userpass"` | Name of the Secret containing agent username/password (if used). | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/_helpers.tpl b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/_helpers.tpl index 6da09f085..f9164221a 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/_helpers.tpl +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/_helpers.tpl @@ -94,6 +94,15 @@ Name for resources used exclusively by Helm tests. {{- printf "%s-test" (include "argocd-agent-agent.agentBaseName" .) | trunc 63 | trimSuffix "-" }} {{- end }} +{{/* +Create default image tag. Uses appVersion as the default, which can be +overridden by setting image.tag in values.yaml. This follows the same +pattern as the official argo-cd Helm chart (argo-cd.defaultTag). +*/}} +{{- define "argocd-agent-agent.defaultTag" -}} +{{- default .Chart.AppVersion .Values.image.tag }} +{{- end -}} + {{/* Create chart name and version as used by the chart label. */}} @@ -114,10 +123,13 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} {{- end }} {{/* -Selector labels +Selector labels. +NOTE: `spec.selector.matchLabels` is immutable on Deployments. Changing any +value emitted here after the initial install (e.g. by setting +`.Values.nameOverride`) requires deleting and reinstalling the release. */}} {{- define "argocd-agent-agent.selectorLabels" -}} -app.kubernetes.io/name: argocd-agent-agent +app.kubernetes.io/name: {{ include "argocd-agent-agent.name" . }} app.kubernetes.io/part-of: argocd-agent app.kubernetes.io/component: agent app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrole.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrole.yaml index 7736796d5..ac76c0532 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrole.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -26,3 +27,4 @@ rules: - update - delete - patch +{{- end }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrolebinding.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrolebinding.yaml index ea01f5d02..dd1f21e0a 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrolebinding.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -12,3 +13,4 @@ subjects: - kind: ServiceAccount name: {{ include "argocd-agent-agent.serviceAccountName" . }} namespace: {{ include "argocd-agent-agent.namespace" . }} +{{- end }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-deployment.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-deployment.yaml index 140b5a8af..715fda3ad 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-deployment.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-deployment.yaml @@ -7,6 +7,12 @@ metadata: {{- include "argocd-agent-agent.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + progressDeadlineSeconds: {{ .Values.progressDeadlineSeconds }} + {{- with .Values.updateStrategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} selector: matchLabels: {{- include "argocd-agent-agent.selectorLabels" . | nindent 6 }} @@ -19,22 +25,34 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} serviceAccountName: {{ include "argocd-agent-agent.serviceAccountName" . }} automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} {{- with .Values.priorityClassName }} priorityClassName: {{ . }} {{- end }} + {{- with .Values.podSecurityContext }} securityContext: - fsGroup: 999 - fsGroupChangePolicy: "OnRootMismatch" - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 999 - seccompProfile: - type: RuntimeDefault + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dnsPolicy }} + dnsPolicy: {{ . }} + {{- end }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} containers: - name: argocd-agent-agent - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + image: "{{ .Values.image.repository }}:{{ include "argocd-agent-agent.defaultTag" . }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - agent @@ -183,7 +201,7 @@ spec: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} key: agent.redis.tls.insecure optional: true - - name: ARGOCD_PRINCIPAL_LOG_FORMAT + - name: ARGOCD_AGENT_LOG_FORMAT valueFrom: configMapKeyRef: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} @@ -219,6 +237,12 @@ spec: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} key: agent.cache.refresh-interval optional: true + - name: ARGOCD_AGENT_INFORMER_SYNC_TIMEOUT + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} + key: agent.informer-sync-timeout + optional: true - name: ARGOCD_AGENT_DESTINATION_BASED_MAPPING valueFrom: configMapKeyRef: @@ -243,9 +267,6 @@ spec: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} key: agent.label-selector optional: true - name: argocd-agent-agent - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: metrics containerPort: {{ .Values.metricsPort }} @@ -273,18 +294,10 @@ spec: timeoutSeconds: {{ .Values.probes.readiness.timeoutSeconds }} failureThreshold: {{ .Values.probes.readiness.failureThreshold }} {{- end }} + {{- with .Values.securityContext }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 999 - seccompProfile: - type: RuntimeDefault + {{- toYaml . | nindent 12 }} + {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: @@ -310,4 +323,8 @@ spec: {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} {{- end }} \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-params-cm.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-params-cm.yaml index 4a668f921..1dd2dea62 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-params-cm.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-params-cm.yaml @@ -100,6 +100,9 @@ data: # agent.cache.refresh-interval: Cache refresh interval. # Default: "10s" agent.cache.refresh-interval: {{ .Values.cacheRefreshInterval | quote }} + # agent.informer-sync-timeout: Timeout for the initial informer sync at startup. + # Default: "10s" + agent.informer-sync-timeout: {{ .Values.informerSyncTimeout | quote }} # agent.destination-based-mapping: Whether to enable destination-based mapping. # When enabled, the agent creates applications in their original namespace # (preserving the namespace from the principal) instead of the agent's own namespace. @@ -111,16 +114,21 @@ data: # agent.allowed-namespaces: Additional namespaces the agent can manage. # Default: "" agent.allowed-namespaces: {{ .Values.allowedNamespaces | quote }} + # agent.tls.insecure-plaintext: Connect to the principal without TLS. Only use + # when running behind a service mesh (e.g., Istio) that handles mTLS at + # the sidecar level. + # Default: false + agent.tls.insecure-plaintext: {{ .Values.tlsInsecurePlaintext | quote }} # agent.label-selector: Kubernetes label selector to restrict which # resources the agent watches. # Default: "" agent.label-selector: {{ .Values.labelSelector | quote }} # agent.redis.tls.enabled: Whether to enable TLS for Redis connections. - # Default: true - agent.redis.tls.enabled: {{ .Values.redisTLS.enabled }} + # Default: false + agent.redis.tls.enabled: {{ .Values.redisTLS.enabled | quote }} # agent.redis.tls.ca-path: Path to CA certificate for verifying Redis TLS certificate. # Default: "" agent.redis.tls.ca-path: {{ .Values.redisTLS.caPath | quote }} # agent.redis.tls.insecure: INSECURE: Do not verify Redis TLS certificate. # Default: false - agent.redis.tls.insecure: {{ .Values.redisTLS.insecure }} + agent.redis.tls.insecure: {{ .Values.redisTLS.insecure | quote }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-role.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-role.yaml index 142ec3252..34a89b35f 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-role.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-role.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -39,4 +40,5 @@ rules: - events verbs: - create - - list \ No newline at end of file + - list +{{- end }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-rolebinding.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-rolebinding.yaml index e7a9e782c..af84bb0ef 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-rolebinding.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/templates/agent-rolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -13,3 +14,4 @@ subjects: - kind: ServiceAccount name: {{ include "argocd-agent-agent.serviceAccountName" . }} namespace: {{ include "argocd-agent-agent.namespace" . }} +{{- end }} diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/values.schema.json b/helm-charts/redhat-argocd-agent/0.9.0/src/values.schema.json index b882c607c..0b23452ad 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/values.schema.json +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/values.schema.json @@ -51,6 +51,12 @@ "title": "cacheRefreshInterval", "type": "string" }, + "informerSyncTimeout": { + "default": "10s", + "description": "Timeout for the initial informer sync at agent startup. Increase on large clusters or when the API server is under heavy load.", + "title": "informerSyncTimeout", + "type": "string" + }, "createNamespace": { "default": false, "description": "Whether to create target namespaces automatically when they don't exist.\nUsed with destination-based mapping.", @@ -63,6 +69,19 @@ "title": "destinationBasedMapping", "type": "boolean" }, + "dnsConfig": { + "additionalProperties": true, + "description": "DNS config for the Pod. Only honored when `dnsPolicy` is \"None\".", + "required": [], + "title": "dnsConfig", + "type": "object" + }, + "dnsPolicy": { + "default": "", + "description": "DNS policy for the Pod (e.g. ClusterFirst, None). Empty leaves the default.", + "title": "dnsPolicy", + "type": "string" + }, "enableCompression": { "default": false, "description": "Whether to enable gRPC compression.", @@ -81,6 +100,12 @@ "title": "enableWebSocket", "type": "boolean" }, + "fullnameOverride": { + "default": "", + "description": "Override the fully-qualified resource name (defaults to `\u003crelease\u003e-agent-helm`).", + "title": "fullnameOverride", + "type": "string" + }, "global": { "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", "required": [], @@ -93,12 +118,20 @@ "title": "healthzPort", "type": "string" }, + "hostAliases": { + "description": "Host aliases injected into /etc/hosts of the agent Pod.", + "items": { + "required": [] + }, + "title": "hostAliases", + "type": "array" + }, "image": { "additionalProperties": false, "description": "#", "properties": { "pullPolicy": { - "default": "Always", + "default": "IfNotPresent", "description": "Image pull policy for the agent container.", "title": "pullPolicy", "type": "string" @@ -110,8 +143,8 @@ "type": "string" }, "tag": { - "default": "latest", - "description": "Container image tag for the agent.", + "default": "", + "description": "Overrides the image tag whose default is the chart appVersion.", "title": "tag", "type": "string" } @@ -124,6 +157,14 @@ "title": "image", "type": "object" }, + "imagePullSecrets": { + "description": "Image pull secrets for private registries.", + "items": { + "required": [] + }, + "title": "imagePullSecrets", + "type": "array" + }, "keepAliveInterval": { "default": "50s", "description": "Keep-alive interval for connections.", @@ -148,6 +189,12 @@ "title": "metricsPort", "type": "string" }, + "nameOverride": { + "default": "", + "description": "Override the chart name used in `app.kubernetes.io/name`\nAlso changes `spec.selector.matchLabels`, which is immutable — do not set after initial\ninstall unless you are prepared to delete+reinstall.", + "title": "nameOverride", + "type": "string" + }, "namespaceOverride": { "default": "", "description": "#\nOverride namespace to deploy the agent into. Leave empty to use the release namespace.", @@ -175,6 +222,55 @@ "title": "podLabels", "type": "object" }, + "podSecurityContext": { + "additionalProperties": true, + "description": "#\nPod-level securityContext. Applied to the Pod spec.", + "properties": { + "fsGroup": { + "default": 999, + "title": "fsGroup", + "type": "integer" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "title": "fsGroupChangePolicy", + "type": "string" + }, + "runAsGroup": { + "default": 999, + "title": "runAsGroup", + "type": "integer" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": 999, + "title": "runAsUser", + "type": "integer" + }, + "seccompProfile": { + "additionalProperties": true, + "properties": { + "type": { + "default": "RuntimeDefault", + "title": "type", + "type": "string" + } + }, + "required": [ + "type" + ], + "title": "seccompProfile", + "type": "object" + } + }, + "required": [], + "title": "podSecurityContext", + "type": "object" + }, "pprofPort": { "default": "0", "description": "Port for pprof server (0 disables pprof).", @@ -331,6 +427,36 @@ "title": "probes", "type": "object" }, + "progressDeadlineSeconds": { + "default": 600, + "description": "Time allowed for the Deployment to make progress before the controller reports failure.", + "title": "progressDeadlineSeconds", + "type": "integer" + }, + "rbac": { + "additionalProperties": false, + "description": "#", + "properties": { + "create": { + "default": true, + "description": "Create namespace-scoped Role and RoleBinding for the agent.", + "title": "create", + "type": "boolean" + }, + "createClusterRole": { + "default": true, + "description": "Create cluster-scoped ClusterRole and ClusterRoleBinding. Required for\ndestination-based mapping, create-namespace, and resource-proxy discovery\nacross multiple namespaces. Leave `false` to keep the agent strictly\nnamespace-scoped.", + "title": "createClusterRole", + "type": "boolean" + } + }, + "required": [ + "create", + "createClusterRole" + ], + "title": "rbac", + "type": "object" + }, "redisAddress": { "default": "argocd-redis:6379", "description": "Redis address used by the agent.", @@ -433,6 +559,88 @@ "title": "resources", "type": "object" }, + "revisionHistoryLimit": { + "default": 10, + "description": "Number of old ReplicaSets to retain for rollback.", + "title": "revisionHistoryLimit", + "type": "integer" + }, + "securityContext": { + "additionalProperties": true, + "description": "#\nContainer-level securityContext. Applied to the agent container.", + "properties": { + "allowPrivilegeEscalation": { + "default": false, + "title": "allowPrivilegeEscalation", + "type": "boolean" + }, + "capabilities": { + "additionalProperties": false, + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ], + "required": [] + }, + "title": "drop", + "type": "array" + } + }, + "required": [ + "drop" + ], + "title": "capabilities", + "type": "object" + }, + "privileged": { + "default": false, + "title": "privileged", + "type": "boolean" + }, + "readOnlyRootFilesystem": { + "default": true, + "title": "readOnlyRootFilesystem", + "type": "boolean" + }, + "runAsGroup": { + "default": 999, + "title": "runAsGroup", + "type": "integer" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": 999, + "title": "runAsUser", + "type": "integer" + }, + "seccompProfile": { + "additionalProperties": true, + "properties": { + "type": { + "default": "RuntimeDefault", + "title": "type", + "type": "string" + } + }, + "required": [ + "type" + ], + "title": "seccompProfile", + "type": "object" + } + }, + "required": [], + "title": "securityContext", + "type": "object" + }, "server": { "default": "principal.server.address.com", "description": "Principal server address (hostname or host:port).", @@ -652,6 +860,12 @@ "title": "serviceMonitor", "type": "object" }, + "terminationGracePeriodSeconds": { + "default": 30, + "description": "Grace period for Pod termination (seconds).", + "title": "terminationGracePeriodSeconds", + "type": "integer" + }, "tests": { "additionalProperties": false, "description": "#\nConfiguration for helm-chart tests.", @@ -707,6 +921,12 @@ "title": "tlsClientKeyPath", "type": "string" }, + "tlsInsecurePlaintext": { + "default": "false", + "description": "Whether to connect to the principal without TLS", + "title": "tlsInsecurePlaintext", + "type": "string" + }, "tlsMaxVersion": { "default": "", "description": "Maximum TLS version to use (tls1.1, tls1.2, tls1.3). Empty uses highest available.", @@ -745,6 +965,51 @@ "title": "tolerations", "type": "array" }, + "topologySpreadConstraints": { + "description": "Topology spread constraints for the agent Pod.", + "items": { + "required": [] + }, + "title": "topologySpreadConstraints", + "type": "array" + }, + "updateStrategy": { + "additionalProperties": true, + "description": "Deployment update strategy (passed through as `spec.strategy`).", + "properties": { + "rollingUpdate": { + "additionalProperties": true, + "properties": { + "maxSurge": { + "default": "25%", + "title": "maxSurge", + "type": "string" + }, + "maxUnavailable": { + "default": "25%", + "title": "maxUnavailable", + "type": "string" + } + }, + "required": [ + "maxSurge", + "maxUnavailable" + ], + "title": "rollingUpdate", + "type": "object" + }, + "type": { + "default": "RollingUpdate", + "title": "type", + "type": "string" + } + }, + "required": [ + "type" + ], + "title": "updateStrategy", + "type": "object" + }, "userPasswordSecretName": { "default": "argocd-agent-agent-userpass", "description": "Name of the Secret containing agent username/password (if used).", @@ -756,17 +1021,24 @@ "namespaceOverride", "image", "replicaCount", + "updateStrategy", + "revisionHistoryLimit", + "progressDeadlineSeconds", "tlsSecretName", "tlsRootCASecretName", "userPasswordSecretName", "resources", "serviceAccount", + "podSecurityContext", + "securityContext", + "rbac", "nodeSelector", "affinity", "tolerations", "podAnnotations", "podLabels", "priorityClassName", + "terminationGracePeriodSeconds", "probes", "agentMode", "auth", @@ -786,6 +1058,7 @@ "pprofPort", "enableResourceProxy", "cacheRefreshInterval", + "informerSyncTimeout", "keepAliveInterval", "tlsClientKeyPath", "tlsClientCertPath", @@ -794,8 +1067,11 @@ "tlsMaxVersion", "tlsCipherSuites", "allowedNamespaces", + "tlsInsecurePlaintext", "destinationBasedMapping", "createNamespace", + "labelSelector", + "redisTLS", "service", "serviceMonitor", "tests" diff --git a/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml b/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml index eea5473ed..906eae200 100644 --- a/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml +++ b/helm-charts/redhat-argocd-agent/0.9.0/src/values.yaml @@ -1,9 +1,19 @@ namespaceOverride: '' +nameOverride: '' +fullnameOverride: '' image: repository: registry.redhat.io/openshift-gitops-1/argocd-agent-rhel9 tag: v1.21.0 - pullPolicy: Always + pullPolicy: IfNotPresent replicaCount: 1 +imagePullSecrets: [] +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% +revisionHistoryLimit: 10 +progressDeadlineSeconds: 600 tlsSecretName: argocd-agent-client-tls tlsRootCASecretName: argocd-agent-ca userPasswordSecretName: argocd-agent-agent-userpass @@ -19,12 +29,34 @@ serviceAccount: name: '' annotations: {} automountServiceAccountToken: true +podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +rbac: + create: true + createClusterRole: true nodeSelector: {} affinity: {} tolerations: [] +topologySpreadConstraints: [] podAnnotations: {} podLabels: {} priorityClassName: '' +terminationGracePeriodSeconds: 30 +hostAliases: [] +dnsPolicy: '' +dnsConfig: {} probes: liveness: enabled: true @@ -62,6 +94,7 @@ enableCompression: false pprofPort: '0' enableResourceProxy: true cacheRefreshInterval: 10s +informerSyncTimeout: 10s keepAliveInterval: 50s tlsClientKeyPath: '' tlsClientCertPath: '' @@ -70,6 +103,7 @@ tlsMinVersion: '' tlsMaxVersion: '' tlsCipherSuites: '' allowedNamespaces: '' +tlsInsecurePlaintext: 'false' destinationBasedMapping: false createNamespace: false labelSelector: '' @@ -103,17 +137,3 @@ tests: enabled: false image: bitnamilegacy/kubectl tag: 1.33.4 -podSecurityContext: - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault