From 0dec538f6a57605273624da1deda28b5ba46af1b Mon Sep 17 00:00:00 2001 From: Jayendra Parsai Date: Mon, 15 Jun 2026 12:10:06 +0530 Subject: [PATCH] build: update argocd-agent chart Signed-off-by: Jayendra Parsai --- hack/generate-agent-helm-chart.py | 13 + .../0.7.0/src/templates/agent-sa.yaml | 9 - .../0.7.0/src/values.schema.json | 331 ------- .../{0.7.0 => main}/src/.helmignore | 0 .../{0.7.0 => main}/src/Chart.yaml | 4 +- .../{0.7.0 => main}/src/README.md | 21 +- .../{0.7.0 => main}/src/templates/NOTES.txt | 0 .../src/templates/_helpers.tpl | 10 +- .../src/templates/agent-clusterrole.yaml | 6 +- .../templates/agent-clusterrolebinding.yaml | 8 +- .../src/templates/agent-deployment.yaml | 105 ++- .../src/templates/agent-healthz-service.yaml | 12 +- .../src/templates/agent-metrics-service.yaml | 12 +- .../src/templates/agent-params-cm.yaml | 45 +- .../src/templates/agent-role.yaml | 8 +- .../src/templates/agent-rolebinding.yaml | 8 +- .../main/src/templates/agent-sa.yaml | 14 + .../src/templates/agent-servicemonitor.yaml | 48 ++ .../src/templates/tests/test-configMap.yaml | 0 .../src/templates/tests/test-deployment.yaml | 0 .../src/templates/tests/test-labels.yaml | 0 .../src/templates/tests/test-overall.yaml | 0 .../src/templates/tests/test-rbac.yaml | 0 .../src/templates/tests/test-sa.yaml | 0 .../src/templates/tests/test-services.yaml | 0 .../main/src/values.schema.json | 804 ++++++++++++++++++ .../{0.7.0 => main}/src/values.yaml | 33 + 27 files changed, 1066 insertions(+), 425 deletions(-) delete mode 100644 helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-sa.yaml delete mode 100644 helm-charts/redhat-argocd-agent/0.7.0/src/values.schema.json rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/.helmignore (100%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/Chart.yaml (95%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/README.md (73%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/NOTES.txt (100%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/_helpers.tpl (93%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/agent-clusterrole.yaml (74%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/agent-clusterrolebinding.yaml (66%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/agent-deployment.yaml (78%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/agent-healthz-service.yaml (57%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/agent-metrics-service.yaml (57%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/agent-params-cm.yaml (79%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/agent-role.yaml (73%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/agent-rolebinding.yaml (68%) create mode 100644 helm-charts/redhat-argocd-agent/main/src/templates/agent-sa.yaml create mode 100644 helm-charts/redhat-argocd-agent/main/src/templates/agent-servicemonitor.yaml rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/tests/test-configMap.yaml (100%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/tests/test-deployment.yaml (100%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/tests/test-labels.yaml (100%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/tests/test-overall.yaml (100%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/tests/test-rbac.yaml (100%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/tests/test-sa.yaml (100%) rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/templates/tests/test-services.yaml (100%) create mode 100644 helm-charts/redhat-argocd-agent/main/src/values.schema.json rename helm-charts/redhat-argocd-agent/{0.7.0 => main}/src/values.yaml (72%) diff --git a/hack/generate-agent-helm-chart.py b/hack/generate-agent-helm-chart.py index dc88789a7..31df4679f 100644 --- a/hack/generate-agent-helm-chart.py +++ b/hack/generate-agent-helm-chart.py @@ -91,6 +91,19 @@ def update_copied_chart_files(version: str, image_repository: str, image_tag: st image["tag"] = image_tag values["image"] = image + values["podSecurityContext"] = { + "runAsNonRoot": True, + "seccompProfile": {"type": "RuntimeDefault"}, + } + values["securityContext"] = { + "allowPrivilegeEscalation": False, + "capabilities": {"drop": ["ALL"]}, + "privileged": False, + "readOnlyRootFilesystem": True, + "runAsNonRoot": True, + "seccompProfile": {"type": "RuntimeDefault"}, + } + with values_path.open("w", encoding="utf-8") as file: yaml.safe_dump(values, file, sort_keys=False) diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-sa.yaml b/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-sa.yaml deleted file mode 100644 index a31520345..000000000 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-sa.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent - name: {{ include "argocd-agent-agent.serviceAccountName" . }} - namespace: {{ include "argocd-agent-agent.namespace" . }} \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/values.schema.json b/helm-charts/redhat-argocd-agent/0.7.0/src/values.schema.json deleted file mode 100644 index a104f2304..000000000 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/values.schema.json +++ /dev/null @@ -1,331 +0,0 @@ -{ - "$schema": "https://json-schema.org/draft-07/schema#", - "$id": "https://argoproj-labs.github.io/argocd-agent/values.schema.json", - "title": "argocd-agent-agent chart values", - "type": "object", - "additionalProperties": true, - "properties": { - "namespaceOverride": { - "type": "string", - "description": "Override namespace to deploy the agent into" - }, - - "tlsSecretName": { - "type": "string", - "description": "Secret name containing client TLS cert/key for agent" - }, - "tlsRootCASecretName": { - "type": "string", - "description": "Name of the Secret containing root CA certificate" - }, - "userPasswordSecretName": { - "type": "string", - "description": "Secret name containing optional user/password credentials" - }, - - "image": { - "type": "object", - "description": "Container image configuration", - "additionalProperties": false, - "properties": { - "repository": { - "type": "string", - "description": "Container image repository for the agent" - }, - "tag": { - "type": "string", - "description": "Container image tag" - }, - "pullPolicy": { - "type": "string", - "enum": ["Always", "IfNotPresent", "Never"], - "description": "Image pull policy" - } - } - }, - - "replicaCount": { - "type": "integer", - "minimum": 0, - "description": "Number of replicas for the Deployment" - }, - - "resources": { - "type": "object", - "description": "Container resource requests/limits", - "additionalProperties": true, - "properties": { - "limits": { - "type": "object", - "additionalProperties": true, - "properties": { - "cpu": { "type": "string" }, - "memory": { "type": "string" } - } - }, - "requests": { - "type": "object", - "additionalProperties": true, - "properties": { - "cpu": { "type": "string" }, - "memory": { "type": "string" } - } - } - } - }, - - "nodeSelector": { - "type": "object", - "additionalProperties": { "type": "string" }, - "description": "Node selector for pod scheduling" - }, - "affinity": { - "type": "object", - "additionalProperties": true, - "description": "Pod affinity/anti-affinity rules" - }, - "tolerations": { - "type": "array", - "items": { "type": "object" }, - "description": "Tolerations for tainted nodes" - }, - - "podAnnotations": { - "type": "object", - "additionalProperties": { "type": "string" }, - "description": "Annotations to add to the pod" - }, - "podLabels": { - "type": "object", - "additionalProperties": { "type": "string" }, - "description": "Labels to add to the pod" - }, - - "priorityClassName": { - "type": "string", - "description": "PriorityClass name for the pod" - }, - - "serviceAccount": { - "type": "object", - "description": "ServiceAccount configuration", - "additionalProperties": false, - "properties": { - "create": { "type": "boolean", "default": true }, - "name": { "type": "string" }, - "annotations": { "type": "object", "additionalProperties": { "type": "string" } } - } - }, - - "agentMode": { - "type": "string", - "description": "Agent mode (e.g., 'autonomous' or 'managed')", - "enum": ["autonomous", "managed"] - }, - "auth": { - "type": "string", - "description": "Authentication mode (e.g., 'mtls:any')" - }, - "logLevel": { - "type": "string", - "description": "Log level (debug, info, warn, error)" - }, - "logFormat": { - "type": "string", - "enum": ["text", "json"], - "description": "Log format for the agent (text or json)" - }, - "server": { - "type": "string", - "description": "Remote principal server address" - }, - "serverPort": { - "type": "string", - "pattern": "^[0-9]+$", - "description": "Remote principal server port" - }, - "metricsPort": { - "type": "string", - "pattern": "^[0-9]+$", - "description": "Agent metrics port (env/config value)" - }, - "tlsClientInSecure": { - "anyOf": [ - { "type": "string", "enum": ["true", "false"] }, - { "type": "boolean" } - ], - "description": "Whether to skip TLS verification for client (can be boolean or string)" - }, - "healthzPort": { - "type": "string", - "pattern": "^[0-9]+$", - "description": "Agent healthz port (env/config value)" - }, - "redisAddress": { - "type": "string", - "description": "Redis address (host:port)" - }, - "redisUsername": { - "type": "string", - "description": "Redis username for authentication" - }, - "argoCdRedisSecretName": { - "type": "string", - "description": "ArgoCD Redis password secret name" - }, - "argoCdRedisPasswordKey": { - "type": "string", - "description": "ArgoCD Redis password key" - }, - "enableWebSocket": { - "type": "boolean", - "description": "Whether to enable WebSocket connections" - }, - "enableCompression": { - "type": "boolean", - "description": "Whether to enable gRPC compression" - }, - "pprofPort": { - "type": "string", - "description": "Port for pprof server (0 disables pprof)" - }, - "enableResourceProxy": { - "type": "boolean", - "description": "Whether to enable resource proxy" - }, - "cacheRefreshInterval": { - "type": "string", - "pattern": "^[0-9]+(ms|s|m|h)$", - "description": "Cache refresh interval" - }, - "keepAliveInterval": { - "type": "string", - "pattern": "^[0-9]+(ms|s|m|h)$", - "description": "Keep-alive interval for connections" - }, - "tlsClientKeyPath": { "type": "string", "description": "Path to client key inside container" }, - "tlsClientCertPath": { "type": "string", "description": "Path to client cert inside container" }, - "tlsRootCAPath": { "type": "string", "description": "Path to Root CA inside container" }, - "tlsMinVersion": { - "type": "string", - "enum": ["", "tls1.1", "tls1.2", "tls1.3"], - "description": "Minimum TLS version to use (empty uses Go default)" - }, - "tlsMaxVersion": { - "type": "string", - "enum": ["", "tls1.1", "tls1.2", "tls1.3"], - "description": "Maximum TLS version to use (empty uses highest available)" - }, - "tlsCipherSuites": { - "type": "string", - "description": "Comma-separated list of TLS cipher suites (empty uses Go defaults)" - }, - - "destinationBasedMapping": { - "type": "boolean", - "description": "Whether to enable destination-based mapping. When enabled, the agent creates applications in their original namespace instead of the agent's own namespace." - }, - "createNamespace": { - "type": "boolean", - "description": "Whether to create target namespaces automatically when they don't exist. Used with destination-based mapping." - }, - "allowedNamespaces": { - "type": "string", - "description": "Comma-separated list of additional namespaces the agent is allowed to manage applications in (used with applications in any namespace feature). Supports glob patterns." - }, - - "service": { - "type": "object", - "description": "Service configuration for metrics and healthz", - "additionalProperties": false, - "properties": { - "metrics": { - "type": "object", - "additionalProperties": false, - "properties": { - "port": { "type": "integer", "minimum": 1, "maximum": 65535 }, - "targetPort": { "type": "integer", "minimum": 1, "maximum": 65535 }, - "annotations": { "type": "object", "additionalProperties": { "type": "string" } } - } - }, - "healthz": { - "type": "object", - "additionalProperties": false, - "properties": { - "port": { "type": "integer", "minimum": 1, "maximum": 65535 }, - "targetPort": { "type": "integer", "minimum": 1, "maximum": 65535 }, - "annotations": { "type": "object", "additionalProperties": { "type": "string" } } - } - } - } - }, - - "probes": { - "type": "object", - "description": "Liveness and readiness probe configuration", - "additionalProperties": false, - "properties": { - "liveness": { - "type": "object", - "additionalProperties": false, - "properties": { - "enabled": { "type": "boolean" }, - "httpGet": { - "type": "object", - "additionalProperties": false, - "properties": { - "path": { "type": "string" }, - "port": { "type": ["string", "integer"] } - } - }, - "initialDelaySeconds": { "type": "integer", "minimum": 0 }, - "periodSeconds": { "type": "integer", "minimum": 1 }, - "timeoutSeconds": { "type": "integer", "minimum": 1 }, - "failureThreshold": { "type": "integer", "minimum": 1 } - } - }, - "readiness": { - "type": "object", - "additionalProperties": false, - "properties": { - "enabled": { "type": "boolean" }, - "httpGet": { - "type": "object", - "additionalProperties": false, - "properties": { - "path": { "type": "string" }, - "port": { "type": ["string", "integer"] } - } - }, - "initialDelaySeconds": { "type": "integer", "minimum": 0 }, - "periodSeconds": { "type": "integer", "minimum": 1 }, - "timeoutSeconds": { "type": "integer", "minimum": 1 }, - "failureThreshold": { "type": "integer", "minimum": 1 } - } - } - } - }, - - "tests": { - "type": "object", - "description": "Configuration for chart tests", - "additionalProperties": false, - "properties": { - "enabled": { - "type": "boolean", - "description": "Enable chart tests" - }, - "image": { - "type": "string", - "description": "Test image" - }, - "tag": { - "type": "string", - "description": "Test image tag" - } - } - } - } -} - - diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/.helmignore b/helm-charts/redhat-argocd-agent/main/src/.helmignore similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/.helmignore rename to helm-charts/redhat-argocd-agent/main/src/.helmignore diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/Chart.yaml b/helm-charts/redhat-argocd-agent/main/src/Chart.yaml similarity index 95% rename from helm-charts/redhat-argocd-agent/0.7.0/src/Chart.yaml rename to helm-charts/redhat-argocd-agent/main/src/Chart.yaml index 3a327e915..6eec1624e 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/Chart.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/Chart.yaml @@ -2,8 +2,8 @@ apiVersion: v2 name: redhat-argocd-agent description: RedHat Argo CD Agent for connecting managed clusters to a Principal type: application -version: 0.7.0 -appVersion: 0.7.0 +version: main +appVersion: main home: https://github.com/argoproj-labs/argocd-agent sources: - https://github.com/argoproj-labs/argocd-agent diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/README.md b/helm-charts/redhat-argocd-agent/main/src/README.md similarity index 73% rename from helm-charts/redhat-argocd-agent/0.7.0/src/README.md rename to helm-charts/redhat-argocd-agent/main/src/README.md index 1449ab453..3dbe8a63d 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/README.md +++ b/helm-charts/redhat-argocd-agent/main/src/README.md @@ -41,6 +41,7 @@ Kubernetes: `>=1.24.0-0` | image.repository | string | `"ghcr.io/argoproj-labs/argocd-agent/argocd-agent"` | Container image repository for the agent. | | image.tag | string | `"latest"` | Container image tag for the agent. | | keepAliveInterval | string | `"50s"` | Keep-alive interval for connections. | +| labelSelector | string | `""` | Kubernetes label selector to restrict which resources the agent watches. Only matching resources will be listed, watched, and processed. | | logFormat | string | `"text"` | Log format for the agent (text or json). | | logLevel | string | `"info"` | Log level for the agent. | | metricsPort | string | `"8181"` | Metrics server port exposed by the agent. | @@ -62,6 +63,11 @@ Kubernetes: `>=1.24.0-0` | probes.readiness.periodSeconds | int | `10` | Frequency of readiness probes. | | probes.readiness.timeoutSeconds | int | `2` | Timeout for readiness probe. | | redisAddress | string | `"argocd-redis:6379"` | Redis address used by the agent. | +| redisTLS | object | `{"caPath":"/app/config/redis-tls/ca.crt","enabled":false,"insecure":false,"secretName":"argocd-redis-tls"}` | Redis TLS configuration. | +| redisTLS.caPath | string | `"/app/config/redis-tls/ca.crt"` | Path to CA certificate for verifying Redis TLS certificate. This path is where the CA certificate will be mounted inside the container. | +| redisTLS.enabled | bool | `false` | Enable TLS for Redis connections. | +| redisTLS.insecure | bool | `false` | Skip verification of Redis TLS certificate (INSECURE - for development only). | +| redisTLS.secretName | string | `"argocd-redis-tls"` | Name of the Kubernetes Secret containing the Redis TLS CA certificate. The secret should have a key 'ca.crt' containing the CA certificate in PEM format. Set to empty string to disable mounting (requires system CAs or insecure mode). | | redisUsername | string | `""` | Redis username for authentication. | | replicaCount | int | `1` | Number of replicas for the agent Deployment. | | resources | object | `{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"128Mi"}}` | Resource requests and limits for the agent Pod. | @@ -74,10 +80,23 @@ Kubernetes: `>=1.24.0-0` | service.metrics.annotations | object | `{}` | Annotations to add to the metrics Service. | | service.metrics.port | int | `8181` | Service port for metrics. | | service.metrics.targetPort | int | `8181` | Target port for metrics. | -| serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | ServiceAccount configuration. | +| serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":true,"create":true,"name":""}` | ServiceAccount configuration. | | serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | | serviceAccount.create | bool | `true` | Whether to create the ServiceAccount. | | serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If empty, a name is generated. | +| serviceMonitor | object | `{"additionalLabels":{},"annotations":{},"enabled":false,"honorLabels":false,"interval":"30s","metricRelabelings":[],"namespace":"","relabelings":[],"scheme":"","scrapeTimeout":"10s","tlsConfig":{}}` | Prometheus ServiceMonitor configuration. | +| serviceMonitor.additionalLabels | object | `{}` | Prometheus ServiceMonitor labels | +| serviceMonitor.annotations | object | `{}` | Prometheus ServiceMonitor annotations | +| serviceMonitor.enabled | bool | `false` | Whether to create a ServiceMonitor resource. | +| serviceMonitor.honorLabels | bool | `false` | When true, honorLabels preserves the metric’s labels when they collide with the target’s labels. | +| serviceMonitor.interval | string | `"30s"` | Prometheus scrape interval. Must be a valid duration string (e.g. "30s"). | +| serviceMonitor.metricRelabelings | list | `[]` | Prometheus [MetricRelabelConfigs] to apply to samples before ingestion | +| serviceMonitor.namespace | string | `""` | Namespace where the ServiceMonitor should be created. Defaults to release namespace. | +| serviceMonitor.relabelings | list | `[]` | Prometheus [RelabelConfigs] to apply to samples before scraping | +| serviceMonitor.scheme | string | `""` | Prometheus ServiceMonitor scheme | +| serviceMonitor.scrapeTimeout | string | `"10s"` | Prometheus scrape timeout. Must be a valid duration string (e.g. "10s"). | +| serviceMonitor.tlsConfig | object | `{}` | Prometheus ServiceMonitor tlsConfig | | tests | object | `{"enabled":false,"image":"bitnamilegacy/kubectl","tag":"1.33.4"}` | Configuration for helm-chart tests. | | tests.enabled | bool | `false` | By default, chart tests are disabled. | | tests.image | string | `"bitnamilegacy/kubectl"` | Test image. | diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/NOTES.txt b/helm-charts/redhat-argocd-agent/main/src/templates/NOTES.txt similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/NOTES.txt rename to helm-charts/redhat-argocd-agent/main/src/templates/NOTES.txt diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/_helpers.tpl b/helm-charts/redhat-argocd-agent/main/src/templates/_helpers.tpl similarity index 93% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/_helpers.tpl rename to helm-charts/redhat-argocd-agent/main/src/templates/_helpers.tpl index 5b371b1f1..6da09f085 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/_helpers.tpl +++ b/helm-charts/redhat-argocd-agent/main/src/templates/_helpers.tpl @@ -117,7 +117,9 @@ app.kubernetes.io/managed-by: {{ .Release.Service }} Selector labels */}} {{- define "argocd-agent-agent.selectorLabels" -}} -app.kubernetes.io/name: {{ include "argocd-agent-agent.name" . }} +app.kubernetes.io/name: argocd-agent-agent +app.kubernetes.io/part-of: argocd-agent +app.kubernetes.io/component: agent app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} @@ -136,6 +138,12 @@ Create the name of the service account to use {{- end }} {{- end }} +{{/* +Name for the agent service monitor. +*/}} +{{- define "argocd-agent-agent.agentServiceMonitorName" -}} +{{- include "argocd-agent-agent.resourceName" (dict "root" . "suffix" "servicemonitor") }} +{{- end }} {{/* Expand the namespace of the release. diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-clusterrole.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-clusterrole.yaml similarity index 74% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-clusterrole.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/agent-clusterrole.yaml index 7ba39355d..7736796d5 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-clusterrole.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-clusterrole.yaml @@ -1,11 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent name: {{ include "argocd-agent-agent.clusterRoleName" . }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} rules: - apiGroups: - "" diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-clusterrolebinding.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-clusterrolebinding.yaml similarity index 66% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-clusterrolebinding.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/agent-clusterrolebinding.yaml index 1674616ab..ea01f5d02 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-clusterrolebinding.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-clusterrolebinding.yaml @@ -1,11 +1,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent name: {{ include "argocd-agent-agent.clusterRoleBindingName" . }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole @@ -13,4 +11,4 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "argocd-agent-agent.serviceAccountName" . }} - namespace: {{ include "argocd-agent-agent.namespace" . }} + namespace: {{ include "argocd-agent-agent.namespace" . }} diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-deployment.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-deployment.yaml similarity index 78% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-deployment.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/agent-deployment.yaml index d8dfed39d..140b5a8af 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-deployment.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-deployment.yaml @@ -1,28 +1,42 @@ apiVersion: apps/v1 kind: Deployment metadata: - labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent name: {{ include "argocd-agent-agent.agentDeploymentName" . }} - namespace: {{ include "argocd-agent-agent.namespace" . }} + namespace: {{ include "argocd-agent-agent.namespace" . }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} spec: replicas: {{ .Values.replicaCount }} selector: matchLabels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent + {{- include "argocd-agent-agent.selectorLabels" . | nindent 6 }} template: metadata: labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent + {{- include "argocd-agent-agent.selectorLabels" . | nindent 8 }} + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} spec: + serviceAccountName: {{ include "argocd-agent-agent.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + securityContext: + fsGroup: 999 + fsGroupChangePolicy: "OnRootMismatch" + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault containers: - - args: + - name: argocd-agent-agent + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: - agent env: - name: ARGOCD_AGENT_REMOTE_SERVER @@ -151,6 +165,24 @@ spec: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} key: agent.redis.username optional: true + - name: ARGOCD_AGENT_REDIS_TLS_ENABLED + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} + key: agent.redis.tls.enabled + optional: true + - name: ARGOCD_AGENT_REDIS_TLS_CA_PATH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} + key: agent.redis.tls.ca-path + optional: true + - name: ARGOCD_AGENT_REDIS_TLS_INSECURE + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} + key: agent.redis.tls.insecure + optional: true - name: ARGOCD_PRINCIPAL_LOG_FORMAT valueFrom: configMapKeyRef: @@ -205,14 +237,22 @@ spec: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} key: agent.allowed-namespaces optional: true + - name: ARGOCD_AGENT_LABEL_SELECTOR + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} + key: agent.label-selector + optional: true name: argocd-agent-agent image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - - containerPort: 8000 - name: metrics - - containerPort: 8002 - name: healthz + - name: metrics + containerPort: {{ .Values.metricsPort }} + protocol: TCP + - name: healthz + containerPort: {{ .Values.healthzPort }} + protocol: TCP {{- if .Values.probes.liveness.enabled }} livenessProbe: httpGet: @@ -234,37 +274,40 @@ spec: failureThreshold: {{ .Values.probes.readiness.failureThreshold }} {{- end }} securityContext: + allowPrivilegeEscalation: false capabilities: drop: - ALL - allowPrivilegeEscalation: false + privileged: false readOnlyRootFilesystem: true + runAsGroup: 999 runAsNonRoot: true + runAsUser: 999 seccompProfile: type: RuntimeDefault resources: -{{ toYaml .Values.resources | indent 12 }} + {{- toYaml .Values.resources | nindent 12 }} volumeMounts: - name: userpass-passwd mountPath: /app/config/creds - serviceAccountName: {{ include "argocd-agent-agent.serviceAccountName" . }} + readOnly: true + volumes: + - name: userpass-passwd + secret: + secretName: {{ .Values.userPasswordSecretName }} + items: + - key: credentials + path: userpass.creds + optional: true {{- with .Values.nodeSelector }} nodeSelector: -{{ toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.affinity }} affinity: -{{ toYaml . | indent 8 }} + {{- toYaml . | nindent 8 }} {{- end }} {{- with .Values.tolerations }} tolerations: -{{ toYaml . | indent 8 }} - {{- end }} - volumes: - - name: userpass-passwd - secret: - secretName: {{ .Values.userPasswordSecretName }} - items: - - key: credentials - path: userpass.creds - optional: true \ No newline at end of file + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-healthz-service.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-healthz-service.yaml similarity index 57% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-healthz-service.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/agent-healthz-service.yaml index 2b64988a8..e7cc80b63 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-healthz-service.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-healthz-service.yaml @@ -1,15 +1,13 @@ apiVersion: v1 kind: Service metadata: - labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent name: {{ include "argocd-agent-agent.healthzServiceName" . }} - namespace: {{ include "argocd-agent-agent.namespace" . }} + namespace: {{ include "argocd-agent-agent.namespace" . }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} {{- with .Values.service.healthz.annotations }} annotations: -{{ toYaml . | indent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} spec: ports: @@ -18,4 +16,4 @@ spec: port: {{ .Values.service.healthz.port }} targetPort: {{ .Values.service.healthz.targetPort }} selector: - app.kubernetes.io/name: argocd-agent-agent \ No newline at end of file + {{- include "argocd-agent-agent.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-metrics-service.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-metrics-service.yaml similarity index 57% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-metrics-service.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/agent-metrics-service.yaml index a6337a8e5..23a3c5954 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-metrics-service.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-metrics-service.yaml @@ -1,15 +1,13 @@ apiVersion: v1 kind: Service metadata: - labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent name: {{ include "argocd-agent-agent.metricsServiceName" . }} - namespace: {{ include "argocd-agent-agent.namespace" . }} + namespace: {{ include "argocd-agent-agent.namespace" . }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} {{- with .Values.service.metrics.annotations }} annotations: -{{ toYaml . | indent 4 }} + {{- toYaml . | nindent 4 }} {{- end }} spec: ports: @@ -18,4 +16,4 @@ spec: port: {{ .Values.service.metrics.port }} targetPort: {{ .Values.service.metrics.targetPort }} selector: - app.kubernetes.io/name: argocd-agent-agent \ No newline at end of file + {{- include "argocd-agent-agent.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-params-cm.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-params-cm.yaml similarity index 79% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-params-cm.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/agent-params-cm.yaml index ffe19739a..4a668f921 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-params-cm.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-params-cm.yaml @@ -2,16 +2,14 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "argocd-agent-agent.paramsConfigMapName" . }} - namespace: {{ include "argocd-agent-agent.namespace" . }} + namespace: {{ include "argocd-agent-agent.namespace" . }} labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent + {{- include "argocd-agent-agent.labels" . | nindent 4 }} data: # agent.mode: The mode this agent should operate in. Valid values are # "autonomous" or "managed". # Default: "autonomous" - agent.mode: {{ .Values.agentMode }} + agent.mode: {{ .Values.agentMode | quote }} # agent.creds: Valid credential identifier for this agent. Must be in the # format :. Valid values are: # - "userpass:_path_to_encrypted_creds_" where _path_to_encrypted_creds_ is @@ -19,7 +17,7 @@ data: # - "mtls:_agent_id_regex_" where _agent_id_regex_ is the regex pattern for # extracting the agent ID from client cert subject. # Default: "" - agent.creds: {{ .Values.auth }} + agent.creds: {{ .Values.auth | quote }} # agent.tls.secret-name: Name of the secret containing the TLS certificate. # Default: "argocd-agent-client-tls" agent.tls.secret-name: {{ .Values.tlsSecretName | quote }} @@ -29,19 +27,19 @@ data: # agent.tls.client.insecure: Whether to skip the validation of the remote TLS # credentials. Insecure. Do only use for development purposes. # Default: false - agent.tls.client.insecure: {{ .Values.tlsClientInSecure | quote }} + agent.tls.client.insecure: {{ .Values.tlsClientInSecure | quote }} # agent.tls.root-ca-path: The path to a file containing the certificates for # the TLS root certificate authority used to validate the remote principal. # Default: "" - agent.tls.root-ca-path: {{ .Values.tlsRootCAPath }} + agent.tls.root-ca-path: {{ .Values.tlsRootCAPath | quote }} # agent.tls.client.cert-path: Path to a file containing the agent's TLS client # certificate. # Default: "" - agent.tls.client.cert-path: {{ .Values.tlsClientCertPath }} + agent.tls.client.cert-path: {{ .Values.tlsClientCertPath | quote }} # agent.tls.client.cert-path: Path to a file containing the agent's TLS client # private key. # Default: "" - agent.tls.client.key-path: {{ .Values.tlsClientKeyPath }} + agent.tls.client.key-path: {{ .Values.tlsClientKeyPath | quote }} # agent.tls.min-version: Minimum TLS version to use when connecting to the principal. # Valid values: tls1.1, tls1.2, tls1.3 # Default: "" (use Go default) @@ -57,15 +55,18 @@ data: # agent.log.level: The log level the agent should use. Valid values are # trace, debug, info, warn and error. # Default: "info" - agent.log.level: {{ .Values.logLevel }} + agent.log.level: {{ .Values.logLevel | quote }} + # agent.log.format: Log format (text or json). + # Default: "text" + agent.log.format: {{ .Values.logFormat | quote }} # agent.namespace: The namespace the agent should operate and manage the # Argo CD resources in. # Default: "argocd" - agent.namespace: {{ include "argocd-agent-agent.namespace" . }} + agent.namespace: {{ include "argocd-agent-agent.namespace" . }} # agent.principal.address: The remote address of the principal to connect # to. Can be a DNS name, an IPv4 address or an IPv6 address. # Default: "" - agent.server.address: {{ .Values.server}} + agent.server.address: {{ .Values.server | quote }} # agent.server.port: The remote port of the principal to connect to. # Default: "443" agent.server.port: {{ .Values.serverPort | quote }} @@ -81,12 +82,9 @@ data: # agent.redis.username: The username for Redis authentication. # Default: "" agent.redis.username: {{ .Values.redisUsername | quote }} - # agent.keep-alive.interval: The keep-alive interval for connections + # agent.keep-alive.interval: The keep-alive interval for connections. # Default: "30s" agent.keep-alive.interval: {{ .Values.keepAliveInterval | quote }} - # agent.log.format: The log format for the agent (text or json). - # Default: "text" - agent.log.format: {{ .Values.logFormat | quote }} # agent.websocket.enabled: Whether to enable WebSocket connections. # Default: false agent.websocket.enabled: {{ .Values.enableWebSocket | quote }} @@ -113,3 +111,16 @@ data: # agent.allowed-namespaces: Additional namespaces the agent can manage. # Default: "" agent.allowed-namespaces: {{ .Values.allowedNamespaces | quote }} + # agent.label-selector: Kubernetes label selector to restrict which + # resources the agent watches. + # Default: "" + agent.label-selector: {{ .Values.labelSelector | quote }} + # agent.redis.tls.enabled: Whether to enable TLS for Redis connections. + # Default: true + agent.redis.tls.enabled: {{ .Values.redisTLS.enabled }} + # agent.redis.tls.ca-path: Path to CA certificate for verifying Redis TLS certificate. + # Default: "" + agent.redis.tls.ca-path: {{ .Values.redisTLS.caPath | quote }} + # agent.redis.tls.insecure: INSECURE: Do not verify Redis TLS certificate. + # Default: false + agent.redis.tls.insecure: {{ .Values.redisTLS.insecure }} diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-role.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-role.yaml similarity index 73% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-role.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/agent-role.yaml index 5806a74b7..142ec3252 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-role.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-role.yaml @@ -1,12 +1,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent name: {{ include "argocd-agent-agent.roleName" . }} - namespace: {{ include "argocd-agent-agent.namespace" . }} + namespace: {{ include "argocd-agent-agent.namespace" . }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} rules: - apiGroups: - argoproj.io diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-rolebinding.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-rolebinding.yaml similarity index 68% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-rolebinding.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/agent-rolebinding.yaml index d06226c79..e7a9e782c 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/agent-rolebinding.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-rolebinding.yaml @@ -1,12 +1,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - labels: - app.kubernetes.io/name: argocd-agent-agent - app.kubernetes.io/part-of: argocd-agent - app.kubernetes.io/component: agent name: {{ include "argocd-agent-agent.roleBindingName" . }} - namespace: {{ include "argocd-agent-agent.namespace" . }} + namespace: {{ include "argocd-agent-agent.namespace" . }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role diff --git a/helm-charts/redhat-argocd-agent/main/src/templates/agent-sa.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-sa.yaml new file mode 100644 index 000000000..f18abeb42 --- /dev/null +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-sa.yaml @@ -0,0 +1,14 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "argocd-agent-agent.serviceAccountName" . }} + namespace: {{ include "argocd-agent-agent.namespace" . }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/main/src/templates/agent-servicemonitor.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/agent-servicemonitor.yaml new file mode 100644 index 000000000..8beb43ce1 --- /dev/null +++ b/helm-charts/redhat-argocd-agent/main/src/templates/agent-servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "argocd-agent-agent.agentServiceMonitorName" . }} + namespace: {{ default .Release.Namespace .Values.serviceMonitor.namespace }} + labels: + {{- include "argocd-agent-agent.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceMonitor.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: metrics + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + path: /metrics + {{- with .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + honorLabels: {{ .Values.serviceMonitor.honorLabels }} + {{- with .Values.serviceMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "argocd-agent-agent.namespace" . }} + selector: + matchLabels: + {{- include "argocd-agent-agent.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-configMap.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/tests/test-configMap.yaml similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-configMap.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/tests/test-configMap.yaml diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-deployment.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/tests/test-deployment.yaml similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-deployment.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/tests/test-deployment.yaml diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-labels.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/tests/test-labels.yaml similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-labels.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/tests/test-labels.yaml diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-overall.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/tests/test-overall.yaml similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-overall.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/tests/test-overall.yaml diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-rbac.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/tests/test-rbac.yaml similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-rbac.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/tests/test-rbac.yaml diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-sa.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/tests/test-sa.yaml similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-sa.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/tests/test-sa.yaml diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-services.yaml b/helm-charts/redhat-argocd-agent/main/src/templates/tests/test-services.yaml similarity index 100% rename from helm-charts/redhat-argocd-agent/0.7.0/src/templates/tests/test-services.yaml rename to helm-charts/redhat-argocd-agent/main/src/templates/tests/test-services.yaml diff --git a/helm-charts/redhat-argocd-agent/main/src/values.schema.json b/helm-charts/redhat-argocd-agent/main/src/values.schema.json new file mode 100644 index 000000000..b882c607c --- /dev/null +++ b/helm-charts/redhat-argocd-agent/main/src/values.schema.json @@ -0,0 +1,804 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "additionalProperties": true, + "properties": { + "affinity": { + "additionalProperties": true, + "description": "Affinity rules for the agent Pod.", + "required": [], + "title": "affinity", + "type": "object" + }, + "agentMode": { + "default": "autonomous", + "description": "#\nAgent mode of operation.", + "title": "agentMode", + "type": "string" + }, + "allowedNamespaces": { + "default": "", + "description": "Comma-separated list of additional namespaces the agent is allowed to\nmanage applications in (used with applications in any namespace feature). Supports glob patterns (e.g., \"team-*,prod-*\").", + "title": "allowedNamespaces", + "type": "string" + }, + "argoCdRedisPasswordKey": { + "default": "auth", + "description": "ArgoCD Redis password key.", + "title": "argoCdRedisPasswordKey", + "type": "string" + }, + "labelSelector": { + "default": "", + "description": "Kubernetes label selector to restrict which resources the agent watches. Only matching resources will be listed, watched, and processed.", + "title": "labelSelector", + "type": "string" + }, + "argoCdRedisSecretName": { + "default": "argocd-redis", + "description": "ArgoCD Redis password secret name.", + "title": "argoCdRedisSecretName", + "type": "string" + }, + "auth": { + "default": "mtls:any", + "description": "Authentication mode for connecting to the principal.", + "title": "auth", + "type": "string" + }, + "cacheRefreshInterval": { + "default": "10s", + "description": "Cache refresh interval.", + "title": "cacheRefreshInterval", + "type": "string" + }, + "createNamespace": { + "default": false, + "description": "Whether to create target namespaces automatically when they don't exist.\nUsed with destination-based mapping.", + "title": "createNamespace", + "type": "boolean" + }, + "destinationBasedMapping": { + "default": false, + "description": "#\nWhether to enable destination-based mapping. When enabled, the agent\ncreates applications in their original namespace (preserving the namespace\nfrom the principal) instead of the agent's own namespace.", + "title": "destinationBasedMapping", + "type": "boolean" + }, + "enableCompression": { + "default": false, + "description": "Whether to enable gRPC compression.", + "title": "enableCompression", + "type": "boolean" + }, + "enableResourceProxy": { + "default": true, + "description": "Whether to enable resource proxy.", + "title": "enableResourceProxy", + "type": "boolean" + }, + "enableWebSocket": { + "default": false, + "description": "Whether to enable WebSocket connections.", + "title": "enableWebSocket", + "type": "boolean" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "required": [], + "title": "global", + "type": "object" + }, + "healthzPort": { + "default": "8002", + "description": "Healthz server port exposed by the agent.", + "title": "healthzPort", + "type": "string" + }, + "image": { + "additionalProperties": false, + "description": "#", + "properties": { + "pullPolicy": { + "default": "Always", + "description": "Image pull policy for the agent container.", + "title": "pullPolicy", + "type": "string" + }, + "repository": { + "default": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", + "description": "Container image repository for the agent.", + "title": "repository", + "type": "string" + }, + "tag": { + "default": "latest", + "description": "Container image tag for the agent.", + "title": "tag", + "type": "string" + } + }, + "required": [ + "repository", + "tag", + "pullPolicy" + ], + "title": "image", + "type": "object" + }, + "keepAliveInterval": { + "default": "50s", + "description": "Keep-alive interval for connections.", + "title": "keepAliveInterval", + "type": "string" + }, + "logFormat": { + "default": "text", + "description": "Log format for the agent (text or json).", + "title": "logFormat", + "type": "string" + }, + "logLevel": { + "default": "info", + "description": "Log level for the agent.", + "title": "logLevel", + "type": "string" + }, + "metricsPort": { + "default": "8181", + "description": "Metrics server port exposed by the agent.", + "title": "metricsPort", + "type": "string" + }, + "namespaceOverride": { + "default": "", + "description": "#\nOverride namespace to deploy the agent into. Leave empty to use the release namespace.", + "title": "namespaceOverride", + "type": "string" + }, + "nodeSelector": { + "additionalProperties": true, + "description": "#\nNode selector for scheduling the agent Pod.", + "required": [], + "title": "nodeSelector", + "type": "object" + }, + "podAnnotations": { + "additionalProperties": true, + "description": "Additional annotations to add to the agent Pod.", + "required": [], + "title": "podAnnotations", + "type": "object" + }, + "podLabels": { + "additionalProperties": true, + "description": "Additional labels to add to the agent Pod.", + "required": [], + "title": "podLabels", + "type": "object" + }, + "pprofPort": { + "default": "0", + "description": "Port for pprof server (0 disables pprof).", + "title": "pprofPort", + "type": "string" + }, + "priorityClassName": { + "default": "", + "description": "PriorityClassName for the agent Pod.", + "title": "priorityClassName", + "type": "string" + }, + "probes": { + "additionalProperties": false, + "description": "#\nLiveness and readiness probe configuration.", + "properties": { + "liveness": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": true, + "description": "Enable the liveness probe.", + "title": "enabled", + "type": "boolean" + }, + "failureThreshold": { + "default": 3, + "description": "Failure threshold for liveness probe.", + "title": "failureThreshold", + "type": "integer" + }, + "httpGet": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/healthz", + "title": "path", + "type": "string" + }, + "port": { + "default": "healthz", + "title": "port", + "type": "string" + } + }, + "required": [ + "path", + "port" + ], + "title": "httpGet", + "type": "object" + }, + "initialDelaySeconds": { + "default": 10, + "description": "Initial delay before the first liveness probe.", + "title": "initialDelaySeconds", + "type": "integer" + }, + "periodSeconds": { + "default": 10, + "description": "Frequency of liveness probes.", + "title": "periodSeconds", + "type": "integer" + }, + "timeoutSeconds": { + "default": 2, + "description": "Timeout for liveness probe.", + "title": "timeoutSeconds", + "type": "integer" + } + }, + "required": [ + "enabled", + "httpGet", + "initialDelaySeconds", + "periodSeconds", + "timeoutSeconds", + "failureThreshold" + ], + "title": "liveness", + "type": "object" + }, + "readiness": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": true, + "description": "Enable the readiness probe.", + "title": "enabled", + "type": "boolean" + }, + "failureThreshold": { + "default": 3, + "description": "Failure threshold for readiness probe.", + "title": "failureThreshold", + "type": "integer" + }, + "httpGet": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/healthz", + "title": "path", + "type": "string" + }, + "port": { + "default": "healthz", + "title": "port", + "type": "string" + } + }, + "required": [ + "path", + "port" + ], + "title": "httpGet", + "type": "object" + }, + "initialDelaySeconds": { + "default": 5, + "description": "Initial delay before the first readiness probe.", + "title": "initialDelaySeconds", + "type": "integer" + }, + "periodSeconds": { + "default": 10, + "description": "Frequency of readiness probes.", + "title": "periodSeconds", + "type": "integer" + }, + "timeoutSeconds": { + "default": 2, + "description": "Timeout for readiness probe.", + "title": "timeoutSeconds", + "type": "integer" + } + }, + "required": [ + "enabled", + "httpGet", + "initialDelaySeconds", + "periodSeconds", + "timeoutSeconds", + "failureThreshold" + ], + "title": "readiness", + "type": "object" + } + }, + "required": [ + "liveness", + "readiness" + ], + "title": "probes", + "type": "object" + }, + "redisAddress": { + "default": "argocd-redis:6379", + "description": "Redis address used by the agent.", + "title": "redisAddress", + "type": "string" + }, + "redisUsername": { + "default": "", + "description": "Redis username for authentication.", + "title": "redisUsername", + "type": "string" + }, + "redisTLS": { + "type": "object", + "description": "Redis TLS configuration", + "additionalProperties": false, + "properties": { + "enabled": { + "anyOf": [ + { "type": "string", "enum": ["true", "false"] }, + { "type": "boolean" } + ], + "description": "Enable TLS for Redis connections (can be boolean or string)" + }, + "caPath": { + "type": "string", + "description": "Path to CA certificate for verifying Redis TLS certificate" + }, + "secretName": { + "type": "string", + "description": "Name of the Kubernetes Secret containing the Redis TLS CA certificate" + }, + "insecure": { + "anyOf": [ + { "type": "string", "enum": ["true", "false"] }, + { "type": "boolean" } + ], + "description": "Skip verification of Redis TLS certificate (INSECURE - for development only, can be boolean or string)" + } + }, + "title": "redisTLS" + }, + "replicaCount": { + "default": 1, + "description": "#\nNumber of replicas for the agent Deployment.", + "title": "replicaCount", + "type": "integer" + }, + "resources": { + "additionalProperties": false, + "description": "Resource requests and limits for the agent Pod.", + "properties": { + "limits": { + "additionalProperties": false, + "properties": { + "cpu": { + "default": "500m", + "title": "cpu", + "type": "string" + }, + "memory": { + "default": "512Mi", + "title": "memory", + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ], + "title": "limits", + "type": "object" + }, + "requests": { + "additionalProperties": false, + "properties": { + "cpu": { + "default": "100m", + "title": "cpu", + "type": "string" + }, + "memory": { + "default": "128Mi", + "title": "memory", + "type": "string" + } + }, + "required": [ + "cpu", + "memory" + ], + "title": "requests", + "type": "object" + } + }, + "required": [ + "limits", + "requests" + ], + "title": "resources", + "type": "object" + }, + "server": { + "default": "principal.server.address.com", + "description": "Principal server address (hostname or host:port).", + "title": "server", + "type": "string" + }, + "serverPort": { + "default": "443", + "description": "Principal server port.", + "title": "serverPort", + "type": "string" + }, + "service": { + "additionalProperties": false, + "description": "#\nService configuration for metrics and healthz endpoints.", + "properties": { + "healthz": { + "additionalProperties": false, + "properties": { + "annotations": { + "additionalProperties": true, + "description": "Annotations to add to the healthz Service.", + "required": [], + "title": "annotations", + "type": "object" + }, + "port": { + "default": 8002, + "description": "Service port for healthz.", + "title": "port", + "type": "integer" + }, + "targetPort": { + "default": 8002, + "description": "Target port for healthz.", + "title": "targetPort", + "type": "integer" + } + }, + "required": [ + "port", + "targetPort", + "annotations" + ], + "title": "healthz", + "type": "object" + }, + "metrics": { + "additionalProperties": false, + "properties": { + "annotations": { + "additionalProperties": true, + "description": "Annotations to add to the metrics Service.", + "required": [], + "title": "annotations", + "type": "object" + }, + "port": { + "default": 8181, + "description": "Service port for metrics.", + "title": "port", + "type": "integer" + }, + "targetPort": { + "default": 8181, + "description": "Target port for metrics.", + "title": "targetPort", + "type": "integer" + } + }, + "required": [ + "port", + "targetPort", + "annotations" + ], + "title": "metrics", + "type": "object" + } + }, + "required": [ + "metrics", + "healthz" + ], + "title": "service", + "type": "object" + }, + "serviceAccount": { + "additionalProperties": false, + "description": "#\nServiceAccount configuration.", + "properties": { + "annotations": { + "additionalProperties": true, + "description": "Annotations to add to the ServiceAccount.", + "required": [], + "title": "annotations", + "type": "object" + }, + "automountServiceAccountToken": { + "default": true, + "description": "Automount API credentials for the Service Account", + "title": "automountServiceAccountToken", + "type": "boolean" + }, + "create": { + "default": true, + "description": "Whether to create the ServiceAccount.", + "title": "create", + "type": "boolean" + }, + "name": { + "default": "", + "description": "Name of the ServiceAccount to use. If empty, a name is generated.", + "title": "name", + "type": "string" + } + }, + "required": [ + "create", + "name", + "annotations", + "automountServiceAccountToken" + ], + "title": "serviceAccount", + "type": "object" + }, + "serviceMonitor": { + "additionalProperties": false, + "description": "#\nPrometheus ServiceMonitor configuration.", + "properties": { + "additionalLabels": { + "additionalProperties": true, + "description": "Prometheus ServiceMonitor labels", + "required": [], + "title": "additionalLabels", + "type": "object" + }, + "annotations": { + "additionalProperties": true, + "description": "Prometheus ServiceMonitor annotations", + "required": [], + "title": "annotations", + "type": "object" + }, + "enabled": { + "default": false, + "description": "Whether to create a ServiceMonitor resource.", + "title": "enabled", + "type": "boolean" + }, + "honorLabels": { + "default": false, + "description": "When true, honorLabels preserves the metric’s labels when they collide with the target’s labels.", + "title": "honorLabels", + "type": "boolean" + }, + "interval": { + "default": "30s", + "description": "Prometheus scrape interval. Must be a valid duration string (e.g. \"30s\").", + "title": "interval", + "type": "string" + }, + "metricRelabelings": { + "description": "Prometheus [MetricRelabelConfigs] to apply to samples before ingestion", + "items": { + "required": [] + }, + "title": "metricRelabelings", + "type": "array" + }, + "namespace": { + "default": "", + "description": "Namespace where the ServiceMonitor should be created. Defaults to release namespace.", + "title": "namespace", + "type": "string" + }, + "relabelings": { + "description": "Prometheus [RelabelConfigs] to apply to samples before scraping", + "items": { + "required": [] + }, + "title": "relabelings", + "type": "array" + }, + "scheme": { + "default": "", + "description": "Prometheus ServiceMonitor scheme", + "title": "scheme", + "type": "string" + }, + "scrapeTimeout": { + "default": "10s", + "description": "Prometheus scrape timeout. Must be a valid duration string (e.g. \"10s\").", + "title": "scrapeTimeout", + "type": "string" + }, + "tlsConfig": { + "additionalProperties": true, + "description": "Prometheus ServiceMonitor tlsConfig", + "required": [], + "title": "tlsConfig", + "type": "object" + } + }, + "required": [ + "enabled", + "additionalLabels", + "annotations", + "namespace", + "interval", + "scrapeTimeout", + "relabelings", + "metricRelabelings", + "honorLabels", + "scheme", + "tlsConfig" + ], + "title": "serviceMonitor", + "type": "object" + }, + "tests": { + "additionalProperties": false, + "description": "#\nConfiguration for helm-chart tests.", + "properties": { + "enabled": { + "default": false, + "description": "By default, chart tests are disabled.", + "title": "enabled", + "type": "boolean" + }, + "image": { + "default": "bitnamilegacy/kubectl", + "description": "Test image.", + "title": "image", + "type": "string" + }, + "tag": { + "default": "1.33.4", + "description": "Test image tag.", + "title": "tag", + "type": "string" + } + }, + "required": [ + "enabled", + "image", + "tag" + ], + "title": "tests", + "type": "object" + }, + "tlsCipherSuites": { + "default": "", + "description": "Comma-separated list of TLS cipher suites. Empty uses Go defaults.", + "title": "tlsCipherSuites", + "type": "string" + }, + "tlsClientCertPath": { + "default": "", + "description": "Path to the TLS client certificate.", + "title": "tlsClientCertPath", + "type": "string" + }, + "tlsClientInSecure": { + "default": "false", + "description": "Whether to skip TLS verification for client connections.", + "title": "tlsClientInSecure", + "type": "string" + }, + "tlsClientKeyPath": { + "default": "", + "description": "Path to the TLS client key.", + "title": "tlsClientKeyPath", + "type": "string" + }, + "tlsMaxVersion": { + "default": "", + "description": "Maximum TLS version to use (tls1.1, tls1.2, tls1.3). Empty uses highest available.", + "title": "tlsMaxVersion", + "type": "string" + }, + "tlsMinVersion": { + "default": "", + "description": "Minimum TLS version to use (tls1.1, tls1.2, tls1.3). Empty uses Go default.", + "title": "tlsMinVersion", + "type": "string" + }, + "tlsRootCAPath": { + "default": "", + "description": "Path to the TLS root CA certificate.", + "title": "tlsRootCAPath", + "type": "string" + }, + "tlsRootCASecretName": { + "default": "argocd-agent-ca", + "description": "Name of the Secret containing root CA certificate.", + "title": "tlsRootCASecretName", + "type": "string" + }, + "tlsSecretName": { + "default": "argocd-agent-client-tls", + "description": "Name of the TLS Secret containing client cert/key for mTLS.", + "title": "tlsSecretName", + "type": "string" + }, + "tolerations": { + "description": "Tolerations for the agent Pod.", + "items": { + "required": [] + }, + "title": "tolerations", + "type": "array" + }, + "userPasswordSecretName": { + "default": "argocd-agent-agent-userpass", + "description": "Name of the Secret containing agent username/password (if used).", + "title": "userPasswordSecretName", + "type": "string" + } + }, + "required": [ + "namespaceOverride", + "image", + "replicaCount", + "tlsSecretName", + "tlsRootCASecretName", + "userPasswordSecretName", + "resources", + "serviceAccount", + "nodeSelector", + "affinity", + "tolerations", + "podAnnotations", + "podLabels", + "priorityClassName", + "probes", + "agentMode", + "auth", + "logLevel", + "logFormat", + "server", + "serverPort", + "metricsPort", + "tlsClientInSecure", + "healthzPort", + "redisAddress", + "redisUsername", + "argoCdRedisSecretName", + "argoCdRedisPasswordKey", + "enableWebSocket", + "enableCompression", + "pprofPort", + "enableResourceProxy", + "cacheRefreshInterval", + "keepAliveInterval", + "tlsClientKeyPath", + "tlsClientCertPath", + "tlsRootCAPath", + "tlsMinVersion", + "tlsMaxVersion", + "tlsCipherSuites", + "allowedNamespaces", + "destinationBasedMapping", + "createNamespace", + "service", + "serviceMonitor", + "tests" + ], + "type": "object" +} \ No newline at end of file diff --git a/helm-charts/redhat-argocd-agent/0.7.0/src/values.yaml b/helm-charts/redhat-argocd-agent/main/src/values.yaml similarity index 72% rename from helm-charts/redhat-argocd-agent/0.7.0/src/values.yaml rename to helm-charts/redhat-argocd-agent/main/src/values.yaml index c5ca5878a..f7a4a6451 100644 --- a/helm-charts/redhat-argocd-agent/0.7.0/src/values.yaml +++ b/helm-charts/redhat-argocd-agent/main/src/values.yaml @@ -18,6 +18,7 @@ serviceAccount: create: true name: '' annotations: {} + automountServiceAccountToken: true nodeSelector: {} affinity: {} tolerations: [] @@ -71,6 +72,12 @@ tlsCipherSuites: '' allowedNamespaces: '' destinationBasedMapping: false createNamespace: false +labelSelector: '' +redisTLS: + enabled: false + caPath: /app/config/redis-tls/ca.crt + secretName: argocd-redis-tls + insecure: false service: metrics: port: 8181 @@ -80,7 +87,33 @@ service: port: 8002 targetPort: 8002 annotations: {} +serviceMonitor: + enabled: false + additionalLabels: {} + annotations: {} + namespace: '' + interval: 30s + scrapeTimeout: 10s + relabelings: [] + metricRelabelings: [] + honorLabels: false + scheme: '' + tlsConfig: {} tests: enabled: false image: bitnamilegacy/kubectl tag: 1.33.4 +podSecurityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault