diff --git a/install/helm-repo/argocd-agent-principal/Chart.yaml b/install/helm-repo/argocd-agent-principal/Chart.yaml new file mode 100644 index 00000000..47352a49 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: argocd-agent-principal +description: A Helm chart for ArgoCD Agent Principal +type: application +version: 0.3.1 +appVersion: "0.3.1" +home: https://github.com/argoproj-labs/argocd-agent +sources: + - https://github.com/argoproj-labs/argocd-agent +maintainers: + - name: ArgoCD Agent Team diff --git a/install/helm-repo/argocd-agent-principal/NOTES.txt b/install/helm-repo/argocd-agent-principal/NOTES.txt new file mode 100644 index 00000000..cf9646ee --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/NOTES.txt @@ -0,0 +1,62 @@ +1. Get the application URL by running these commands: +{{- if eq .Values.service.type "NodePort" }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "argocd-agent-principal.serviceName" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo https://$NODE_IP:$NODE_PORT +{{- else if eq .Values.service.type "LoadBalancer" }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "argocd-agent-principal.serviceName" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "argocd-agent-principal.serviceName" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo https://$SERVICE_IP:{{ .Values.service.port }} +{{- else if eq .Values.service.type "ClusterIP" }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "argocd-agent-principal.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit https://127.0.0.1:8443 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8443:{{ .Values.principal.listen.port }} +{{- end }} + +2. The ArgoCD Agent Principal is now running with the following configuration: + - Listen Port: {{ .Values.principal.listen.port }} + - Metrics Port: {{ .Values.principal.metrics.port }} + - Health Check Port: {{ .Values.principal.healthz.port }} + - Operating Namespace: {{ .Values.principal.namespace }} + {{- if .Values.principal.allowedNamespaces }} + - Allowed Namespaces: {{ .Values.principal.allowedNamespaces }} + {{- end }} + +3. To view the logs: + kubectl logs -f deployment/{{ include "argocd-agent-principal.fullname" . }} -n {{ .Release.Namespace }} + +{{- if .Values.metricsService.enabled }} +4. Metrics are available at: + kubectl port-forward svc/{{ include "argocd-agent-principal.metricsServiceName" . }} {{ .Values.metricsService.port }}:{{ .Values.metricsService.port }} -n {{ .Release.Namespace }} + Then visit http://localhost:{{ .Values.metricsService.port }}/metrics +{{- end }} + +{{- if .Values.healthzService.enabled }} +5. Health check is available at: + kubectl port-forward svc/{{ include "argocd-agent-principal.healthzServiceName" . }} {{ .Values.healthzService.port }}:{{ .Values.healthzService.port }} -n {{ .Release.Namespace }} + Then visit http://localhost:{{ .Values.healthzService.port }}/healthz +{{- end }} + +{{- if not .Values.secrets.userpass.passwd }} + +WARNING: You have not set a password for user authentication. +Please update the userpass secret or set principal.auth to use mTLS authentication. + +To set a password: + kubectl create secret generic {{ include "argocd-agent-principal.userpassSecretName" . }} \ + --from-literal=passwd="your-encrypted-password" \ + -n {{ .Release.Namespace }} +{{- end }} + +{{- if and .Values.principal.tls.server.allowGenerate (eq .Values.principal.tls.server.allowGenerate "true") }} + +WARNING: TLS certificate generation is enabled. This is insecure and should only be used for development. +For production, please provide proper TLS certificates. +{{- end }} + +{{- if and .Values.principal.jwt.allowGenerate (eq .Values.principal.jwt.allowGenerate "true") }} + +WARNING: JWT key generation is enabled. This is insecure and should only be used for development. +For production, please provide a proper JWT signing key. +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/README.md b/install/helm-repo/argocd-agent-principal/README.md new file mode 100644 index 00000000..522061c2 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/README.md @@ -0,0 +1,159 @@ +# ArgoCD Agent Principal + +This Helm chart installs the ArgoCD Agent Principal component, which is part of the ArgoCD Agent system that enables multi-cluster application deployment and management. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2+ +- ArgoCD installed in the cluster +- Redis instance for agent communication + +## Installing the Chart + +To install the chart with the release name `argocd-agent-principal`: + +```bash +helm install argocd-agent-principal . -n argocd +``` + +To install with custom values: + +```bash +helm install argocd-agent-principal . -n argocd -f values.yaml +``` + +## Uninstalling the Chart + +To uninstall/delete the `argocd-agent-principal` deployment: + +```bash +helm uninstall argocd-agent-principal -n argocd +``` + +## Configuration + +The following table lists the configurable parameters of the ArgoCD Agent Principal chart and their default values. + +### Basic Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `namespace` | Target namespace for deployment | `argocd` | +| `replicaCount` | Number of replicas | `1` | + +### Image Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `image.repository` | Image repository | `ghcr.io/argoproj-labs/argocd-agent/argocd-agent` | +| `image.tag` | Image tag | `"d7ee8580"` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | + +### Resource Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `resources.limits.cpu` | CPU limit | `2` | +| `resources.limits.memory` | Memory limit | `4Gi` | +| `resources.requests.cpu` | CPU request | `2` | +| `resources.requests.memory` | Memory request | `4Gi` | + +### Service Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `service.type` | Service type | `LoadBalancer` | +| `service.port` | Service port | `443` | +| `service.targetPort` | Target port | `8443` | +| `service.annotations` | Service annotations | `networking.gke.io/load-balancer-type: "Internal"` | + +### Metrics Service + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `metricsService.enabled` | Enable metrics service | `true` | +| `metricsService.type` | Metrics service type | `ClusterIP` | +| `metricsService.port` | Metrics service port | `8000` | + +### Health Check Service + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `healthzService.enabled` | Enable health check service | `true` | +| `healthzService.type` | Health check service type | `ClusterIP` | +| `healthzService.port` | Health check service port | `8003` | + +### Principal Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `principal.listen.port` | gRPC server listen port | `8443` | +| `principal.listen.host` | gRPC server listen host | `""` (all interfaces) | +| `principal.log.level` | Log level (trace, debug, info, warn, error) | `info` | +| `principal.log.format` | Log format (text, json) | `text` | +| `principal.metrics.port` | Metrics server port | `8000` | +| `principal.healthz.port` | Health check server port | `8003` | +| `principal.namespace` | Principal operation namespace | `"argocd"` | +| `principal.allowedNamespaces` | Allowed namespaces for agents | `"argocd,argocd-apps,default"` | + +### Namespace Management + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `principal.namespaceCreate.enable` | Allow namespace creation | `true` | +| `principal.namespaceCreate.pattern` | Namespace creation pattern | `"-agent"` | +| `principal.namespaceCreate.labels` | Labels for created namespaces | `"managed-by=argocd-agent,environment=production"` | + +### TLS Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `principal.tls.secretName` | TLS secret name | `"argocd-agent-principal-tls"` | +| `principal.tls.server.allowGenerate` | Allow TLS cert generation | `false` | +| `principal.tls.server.rootCaSecretName` | Root CA secret name | `"argocd-agent-ca"` | +| `principal.tls.clientCert.require` | Require client certificates | `true` | +| `principal.tls.clientCert.matchSubject` | Match subject to agent name | `true` | + +### Redis Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `principal.redis.compressionType` | Redis compression type | `"gzip"` | +| `principal.redis.server.address` | Redis server address | `"argocd-redis:6379"` | + +### Resource Proxy + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `principal.redisProxy.enabled` | Enable Redis proxy | `true` | +| `principal.resourceProxy.enabled` | Enable resource proxy | `true` | +| `principal.resourceProxy.secretName` | Resource proxy TLS secret | `"argocd-agent-resource-proxy-tls"` | +| `principal.resourceProxy.ca.secretName` | Resource proxy CA secret | `"argocd-agent-ca"` | + +### JWT Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `principal.jwt.allowGenerate` | Allow JWT key generation | `false` | +| `principal.jwt.secretName` | JWT secret name | `"argocd-agent-jwt"` | + +### Advanced Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `principal.websocket.enable` | Enable WebSocket streaming | `false` | +| `principal.keepAlive.minInterval` | Keep-alive minimum interval | `"0"` | +| `principal.pprof.port` | pprof server port | `"0"` (disabled) | + +### Secrets Configuration + +| Parameter | Description | Default | +|-----------|-------------|---------| +| `secrets.ca.tls.create` | Create CA TLS secret | `true` | +| `secrets.ca.tls.key` | CA private key (base64) | `` | +| `secrets.ca.tls.crt` | CA certificate (base64) | `` | + +## Usage + +The principal component should be installed in the management cluster where ArgoCD is running. It will coordinate with the agent components installed in remote clusters. \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/_helpers.tpl b/install/helm-repo/argocd-agent-principal/templates/_helpers.tpl new file mode 100644 index 00000000..278b2b3c --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/_helpers.tpl @@ -0,0 +1,134 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "argocd-agent-principal.name" -}} +{{- default .Chart.Name .Values.global.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "argocd-agent-principal.fullname" -}} +{{- if .Values.global.fullnameOverride }} +{{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.global.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + + +{{/* +Common labels +*/}} +{{- define "argocd-agent-principal.labels" -}} +{{ include "argocd-agent-principal.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: argocd-agent +app.kubernetes.io/component: principal +{{- with .Values.labels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "argocd-agent-principal.selectorLabels" -}} +app.kubernetes.io/name: {{ include "argocd-agent-principal.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "argocd-agent-principal.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "argocd-agent-principal.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the config map +*/}} +{{- define "argocd-agent-principal.configMapName" -}} +{{- printf "%s-params" (include "argocd-agent-principal.fullname" .) }} +{{- end }} + +{{/* +Create the name of the main service +*/}} +{{- define "argocd-agent-principal.serviceName" -}} +{{- include "argocd-agent-principal.fullname" . }} +{{- end }} + +{{/* +Create the name of the metrics service +*/}} +{{- define "argocd-agent-principal.metricsServiceName" -}} +{{- printf "%s-metrics" (include "argocd-agent-principal.fullname" .) }} +{{- end }} + +{{/* +Create the name of the healthz service +*/}} +{{- define "argocd-agent-principal.healthzServiceName" -}} +{{- printf "%s-healthz" (include "argocd-agent-principal.fullname" .) }} +{{- end }} + +{{/* +Create the name of the cluster role +*/}} +{{- define "argocd-agent-principal.clusterRoleName" -}} +{{- include "argocd-agent-principal.fullname" . }} +{{- end }} + +{{/* +Create the name of the role +*/}} +{{- define "argocd-agent-principal.roleName" -}} +{{- include "argocd-agent-principal.fullname" . }} +{{- end }} + +{{/* +Create the name of the cluster role binding +*/}} +{{- define "argocd-agent-principal.clusterRoleBindingName" -}} +{{- include "argocd-agent-principal.fullname" . }} +{{- end }} + +{{/* +Create the name of the role binding +*/}} +{{- define "argocd-agent-principal.roleBindingName" -}} +{{- include "argocd-agent-principal.fullname" . }} +{{- end }} + + +{{/* +Create the name of the userpass secret +*/}} +{{- define "argocd-agent-principal.userpassSecretName" -}} +{{- printf "%s-userpass" (include "argocd-agent-principal.fullname" .) }} +{{- end }} + + +{{/* +Common annotations +*/}} +{{- define "argocd-agent-principal.annotations" -}} +{{- with .Values.annotations }} +{{ toYaml . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/argocd-agent-ca-secret.yaml b/install/helm-repo/argocd-agent-principal/templates/argocd-agent-ca-secret.yaml new file mode 100644 index 00000000..3b87e527 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/argocd-agent-ca-secret.yaml @@ -0,0 +1,13 @@ +{{- if .Values.secrets.ca.tls.create }} +apiVersion: v1 +kind: Secret +metadata: + name: argocd-agent-ca + namespace: {{ .Values.namespace }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.secrets.ca.tls.crt | quote }} + tls.key: {{ .Values.secrets.ca.tls.key | quote }} +{{ end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-clusterrole.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-clusterrole.yaml new file mode 100644 index 00000000..ed5c4c76 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-clusterrole.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "argocd-agent-principal.clusterRoleName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - argoproj.io + resources: + - applications + - appprojects + - applicationsets + verbs: + - create + - get + - list + - watch + - update + - delete + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - get + - list + - watch +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-clusterrolebinding.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-clusterrolebinding.yaml new file mode 100644 index 00000000..77dbb86f --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.rbac.create .Values.rbac.createClusterRole }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "argocd-agent-principal.clusterRoleBindingName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "argocd-agent-principal.clusterRoleName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "argocd-agent-principal.serviceAccountName" . }} + namespace: {{ .Values.namespace }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-deployment.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-deployment.yaml new file mode 100644 index 00000000..996254ee --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-deployment.yaml @@ -0,0 +1,300 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.fullname" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "argocd-agent-principal.selectorLabels" . | nindent 6 }} + app.kubernetes.io/part-of: argocd-agent + app.kubernetes.io/component: principal + template: + metadata: + labels: + {{- include "argocd-agent-principal.selectorLabels" . | nindent 8 }} + app.kubernetes.io/part-of: argocd-agent + app.kubernetes.io/component: principal + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "argocd-agent-principal.serviceAccountName" . }} + containers: + - name: {{ .Chart.Name }} + args: + - principal + {{- range .Values.principal.additionalArgs }} + - {{ . | quote }} + {{- end }} + env: + - name: ARGOCD_PRINCIPAL_LISTEN_HOST + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.listen.host + optional: true + - name: ARGOCD_PRINCIPAL_LISTEN_PORT + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.listen.port + optional: true + - name: ARGOCD_PRINCIPAL_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.log.level + optional: true + - name: ARGOCD_PRINCIPAL_METRICS_PORT + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.metrics.port + optional: true + - name: ARGOCD_PRINCIPAL_HEALTH_CHECK_PORT + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.healthz.port + optional: true + - name: ARGOCD_PRINCIPAL_NAMESPACE + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.namespace + optional: true + - name: ARGOCD_PRINCIPAL_ALLOWED_NAMESPACES + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.allowed-namespaces + optional: true + - name: ARGOCD_PRINCIPAL_NAMESPACE_CREATE_ENABLE + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.namespace-create.enable + optional: true + - name: ARGOCD_PRINCIPAL_NAMESPACE_CREATE_PATTERN + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.namespace-create.pattern + optional: true + - name: ARGOCD_PRINCIPAL_NAMESPACE_CREATE_LABELS + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.namespace-create.labels + optional: true + - name: ARGOCD_PRINCIPAL_TLS_SECRET_NAME + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.tls.secret-name + optional: true + - name: ARGOCD_PRINCIPAL_TLS_SERVER_CERT_PATH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.tls.server.cert-path + optional: true + - name: ARGOCD_PRINCIPAL_TLS_SERVER_KEY_PATH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.tls.server.key-path + optional: true + - name: ARGOCD_PRINCIPAL_TLS_SERVER_ALLOW_GENERATE + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.tls.server.allow-generate + optional: true + - name: ARGOCD_PRINCIPAL_TLS_CLIENT_CERT_REQUIRE + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.tls.client-cert.require + optional: true + - name: ARGOCD_PRINCIPAL_TLS_SERVER_ROOT_CA_SECRET_NAME + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.tls.server.root-ca-secret-name + optional: true + - name: ARGOCD_PRINCIPAL_TLS_SERVER_ROOT_CA_PATH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.tls.server.root-ca-path + optional: true + - name: ARGOCD_PRINCIPAL_TLS_CLIENT_CERT_MATCH_SUBJECT + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.tls.client-cert.match-subject + optional: true + - name: ARGOCD_PRINCIPAL_RESOURCE_PROXY_SECRET_NAME + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.resource-proxy.secret-name + optional: true + - name: ARGOCD_PRINCIPAL_RESOURCE_PROXY_TLS_CERT_PATH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.resource-proxy.tls.cert-path + optional: true + - name: ARGOCD_PRINCIPAL_RESOURCE_PROXY_TLS_KEY_PATH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.resource-proxy.tls.key-path + optional: true + - name: ARGOCD_PRINCIPAL_RESOURCE_PROXY_CA_SECRET_NAME + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.resource-proxy.ca.secret-name + optional: true + - name: ARGOCD_PRINCIPAL_RESOURCE_PROXY_CA_PATH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.resource-proxy.ca.path + optional: true + - name: ARGOCD_PRINCIPAL_JWT_ALLOW_GENERATE + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.jwt.allow-generate + optional: true + - name: ARGOCD_PRINCIPAL_JWT_SECRET_NAME + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.jwt.secret-name + optional: true + - name: ARGOCD_PRINCIPAL_JWT_KEY_PATH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.jwt.key-path + optional: true + - name: ARGOCD_PRINCIPAL_AUTH + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.auth + optional: true + - name: ARGOCD_PRINCIPAL_LOG_FORMAT + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.log.format + optional: true + - name: ARGOCD_PRINCIPAL_ENABLE_WEBSOCKET + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.websocket.enable + optional: true + - name: ARGOCD_PRINCIPAL_REDIS_COMPRESSION_TYPE + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.redis.compression.type + optional: true + - name: ARGOCD_PRINCIPAL_REDIS_SERVER_ADDRESS + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.redis.server.address + optional: true + - name: ARGOCD_PRINCIPAL_ENABLE_RESOURCE_PROXY + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.resource-proxy.enable + optional: true + - name: ARGOCD_PRINCIPAL_KEEP_ALIVE_MIN_INTERVAL + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.keep-alive.min-interval + optional: true + - name: ARGOCD_PRINCIPAL_PPROF_PORT + valueFrom: + configMapKeyRef: + name: {{ include "argocd-agent-principal.configMapName" . }} + key: principal.pprof.port + optional: true + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: argocd-redis + key: auth + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: {{ .Values.principal.listen.port }} + name: principal + - containerPort: {{ .Values.principal.metrics.port }} + name: metrics + - containerPort: {{ .Values.principal.healthz.port }} + name: healthz + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: jwt-secret + mountPath: /app/config/jwt + - name: userpass-passwd + mountPath: /app/config/userpass + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumes: + - name: userpass-passwd + secret: + secretName: {{ include "argocd-agent-principal.userpassSecretName" . }} + items: + - key: passwd + path: passwd + optional: true + - name: jwt-secret + secret: + secretName: {{ .Values.principal.jwt.secretName | quote }} + items: + - key: jwt.key + path: jwt.key + optional: true + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-grpc-service.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-grpc-service.yaml new file mode 100644 index 00000000..11931772 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-grpc-service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.serviceName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with include "argocd-agent-principal.annotations" . }} + {{- . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - name: https + protocol: TCP + port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + selector: + {{- include "argocd-agent-principal.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-healthz-service.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-healthz-service.yaml new file mode 100644 index 00000000..e9281276 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-healthz-service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.healthzService.enabled }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.healthzServiceName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with .Values.healthzService.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with include "argocd-agent-principal.annotations" . }} + {{- . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.healthzService.type }} + ports: + - name: healthz + protocol: TCP + port: {{ .Values.healthzService.port }} + targetPort: {{ .Values.principal.healthz.port }} + selector: + {{- include "argocd-agent-principal.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-jwt-secret.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-jwt-secret.yaml new file mode 100644 index 00000000..cdd0c537 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-jwt-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.secrets.jwt.create }} +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Values.namespace }} + name: argocd-agent-jwt + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +type: Opaque +data: + jwt.key: {{ .Values.secrets.jwt.key | quote }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-metrics-service.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-metrics-service.yaml new file mode 100644 index 00000000..49ab84cc --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-metrics-service.yaml @@ -0,0 +1,25 @@ +{{- if .Values.metricsService.enabled }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.metricsServiceName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with .Values.metricsService.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with include "argocd-agent-principal.annotations" . }} + {{- . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.metricsService.type }} + ports: + - name: metrics + protocol: TCP + port: {{ .Values.metricsService.port }} + targetPort: {{ .Values.principal.metrics.port }} + selector: + {{- include "argocd-agent-principal.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-params-cm.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-params-cm.yaml new file mode 100644 index 00000000..c8b4a5e0 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-params-cm.yaml @@ -0,0 +1,153 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.configMapName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +data: + # principal.listen.host: The interface address to listen on. Leave empty + # for all interfaces. + # Default: "" + principal.listen.host: {{ .Values.principal.listen.host | quote }} + # principal.listen.port: The port the gRPC server should listen on. + # Default: 8443 + principal.listen.port: {{ .Values.principal.listen.port | quote }} + # principal.log.level: The logging level to use. One of trace, debug, info, + # warn or error. + # Default: info + principal.log.level: {{ .Values.principal.log.level | default "info" | quote }} + # principal.log.format: The log format principal should use. Valid values are + # "json" or "text". + # Default: "text" + principal.log.format: {{ .Values.principal.log.format | default "text" | quote }} + # principal.metrics.port: The port the metrics server should listen on. + # Default: 8000 + principal.metrics.port: {{ .Values.principal.metrics.port | quote }} + # principal.healthz.port: The port the health check server should listen on. + # Default: 8003 + principal.healthz.port: {{ .Values.principal.healthz.port | quote }} + # principal.namespace: The namespace the principal will operate in. If left + # blank, the namespace where the pod is running in will be used. + # Default: "argocd" + principal.namespace: {{ .Values.principal.namespace | quote }} + # principal.allowed-namespaces: A list of namespaces the principal shall + # watch and process Argo CD resources in. Seperate entries using commas. + # Entries may contain shell-style wildcards. + # Default: "" + principal.allowed-namespaces: {{ .Values.principal.allowedNamespaces | quote }} + # principal.namespace-create.enable: Whether the principal is allowed to + # create namespaces for agents if they don't exist yet. Either "true" or + # "false". + # Default: "false" + principal.namespace-create.enable: {{ .Values.principal.namespaceCreate.enable | quote }} + # principal.namespace-create.pattern: A regexp pattern to restrict the names + # of namespaces to be created. If empty, all patterns are allowed. + # Default: "" + principal.namespace-create.pattern: {{ .Values.principal.namespaceCreate.pattern | quote }} + # principal.namespace-create.labels: A set of labels to apply to namespaces + # created for agents. Each label definition needs to be in the format of + # "key=value". Empty values are not allowed. Multiple labels can be given + # as a comma separated list, e.g. "foo=bar,bar=baz" + principal.namespace-create.labels: {{ .Values.principal.namespaceCreate.labels | quote }} + # principal.tls.secret-name: The name of the secret containing the TLS certificate and key. + # Default: "argocd-agent-principal-tls" + principal.tls.secret-name: {{ .Values.principal.tls.secretName | quote }} + # principal.tls.server.cert-path: Path to the TLS certificate to be used by + # the gRPC server. + # Default: "" + principal.tls.server.cert-path: {{ .Values.principal.tls.server.certPath | quote }} + # principal.tls.server.key-path: Path to the TLS private key to be used by + # the gRPC server. + # Default: "" + principal.tls.server.key-path: {{ .Values.principal.tls.server.keyPath | quote }} + # principal.tls.server.allow-generate: Whether to allow the principal to + # generate its own set of TLS cert and key on startup when none are + # configured. This is insecure. Do only use for development. + # Default: false + principal.tls.server.allow-generate: {{ .Values.principal.tls.server.allowGenerate | quote }} + # principal.tls.client-cert.require: Whether to require client certs from + # agents upon connection. + # Default: false + principal.tls.client-cert.require: {{ .Values.principal.tls.clientCert.require | quote }} + # principal.tls.server.secret-name: The name of the secret containing the root CA TLS certificate. + # Default: "argocd-agent-ca" + principal.tls.server.root-ca-secret-name: {{ .Values.principal.tls.server.rootCaSecretName | quote }} + # principal.tls.server.root-ca-path: Path to a TLS root certificate authority + # to be used to validate agent's client certificates against. + # Default: "" + principal.tls.server.root-ca-path: {{ .Values.principal.tls.server.rootCaPath | quote }} + # principal.tls.client-cert.match-subject: Whether to match the subject field + # in a client certificate presented by an agent to the agent's name. + # Default: false + principal.tls.client-cert.match-subject: {{ .Values.principal.tls.clientCert.matchSubject | quote }} + # principal.resource-proxy.secret-name: The name of the secret containing + # the TLS certificate and key for the resource proxy. + # Default: "argocd-agent-resource-proxy-tls" + principal.resource-proxy.secret-name: {{ .Values.principal.resourceProxy.secretName | quote }} + # principal.resource-proxy.tls.cert-path: Path to the TLS certificate to be used by + # the resource proxy. + # Default: "" + principal.resource-proxy.tls.cert-path: {{ .Values.principal.resourceProxy.tls.certPath | quote }} + # principal.resource-proxy.tls.key-path: Path to the TLS private key to be used by + # the resource proxy. + # Default: "" + principal.resource-proxy.tls.key-path: {{ .Values.principal.resourceProxy.tls.keyPath | quote }} + # principal.resource-proxy.ca.secret-name: The name of the secret containing + # the CA certificate for the resource proxy. + # Default: "argocd-agent-ca" + principal.resource-proxy.ca.secret-name: {{ .Values.principal.resourceProxy.ca.secretName | quote }} + # principal.resource-proxy.ca.path: Path to the CA certificate to be used by + # the resource proxy. + # Default: "" + principal.resource-proxy.ca.path: {{ .Values.principal.resourceProxy.ca.path | quote }} + # principal.jwt.allow-generate: Whether to allow the principal to generate + # its own private key for signing JWT tokens. This is insecure. Do only use + # for development. + # Default: false + principal.jwt.allow-generate: {{ .Values.principal.jwt.allowGenerate | quote }} + # principal.jwt.secret-name: The name of the secret containing the JWT signing key. + # Default: "argocd-agent-jwt" + principal.jwt.secret-name: {{ .Values.principal.jwt.secretName | quote }} + # principal.jwt.key-path: Path to the private key to be used for signing JWT + # tokens. + # Default: "" + principal.jwt.key-path: {{ .Values.principal.jwt.keyPath | quote }} + # principal.auth: The authentication method. Must be in the + # format :. Valid values are: + # - "userpass:_path_to_encrypted_creds_" where _path_to_encrypted_creds_ is + # the path to the file containing encrypted credentials for authenticating + # agent connections. + # - "mtls:_agent_id_regex_" where _agent_id_regex_ is the regex pattern for + # extracting the agent ID from client cert subject. Use "mtls:any" to + # accept any client cert. + # Default: userpass:_path_to_encrypted_creds_ + principal.auth: {{ .Values.principal.auth | quote }} + # principal.websocket.enable: Whether to use the websocket to stream events to the + # agent. + # Default: false + principal.websocket.enable: {{ dig "principal" "websocket" "enable" "false" .Values | quote }} + # principal.redis.compression.type: The compression type to use for the Redis + # connection. + # Default: "gzip" + principal.redis.compression.type: {{ dig "principal" "redis" "compressionType" "gzip" .Values | quote }} + # principal.resource-proxy.enable: Whether to enable the resource proxy. + # Default: true + principal.resource-proxy.enable: {{ dig "principal" "resourceProxy" "enable" "true" .Values | quote }} + # principal.keep-alive.min-interval: Drop agent connections that send keepalive pings + # more often than the specified interval. + # Default: 0 + principal.keep-alive.min-interval: {{ dig "principal" "keepAlive" "minInterval" "0" .Values | quote }} + # principal.pprof.port: The port the pprof server will listen on. + # Default: 0 + principal.pprof.port: {{ dig "principal" "pprof" "port" "0" .Values | quote }} + # principal.redis.server.address: The address of the Redis server. + # Default: "argocd-redis:6379" + principal.redis.server.address: {{ dig "principal" "redis" "server" "address" "argocd-redis:6379" .Values | quote }} + {{- range $key, $value := .Values.configMapData }} + {{ $key }}: {{ $value | quote }} + {{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-redis-proxy-service.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-redis-proxy-service.yaml new file mode 100644 index 00000000..bc27af0d --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-redis-proxy-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Values.namespace }} + labels: + app.kubernetes.io/name: argocd-agent-redis-proxy + app.kubernetes.io/part-of: argocd-agent + app.kubernetes.io/component: redis-proxy + name: argocd-agent-redis-proxy +spec: + ports: + - name: redis-proxy + protocol: TCP + port: 6379 + targetPort: 6379 + selector: + {{- include "argocd-agent-principal.selectorLabels" . | nindent 4 }} diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-resource-proxy-service.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-resource-proxy-service.yaml new file mode 100644 index 00000000..fbd38cd2 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-resource-proxy-service.yaml @@ -0,0 +1,19 @@ +{{- if .Values.principal.resourceProxy.enabled }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Values.namespace }} + labels: + app.kubernetes.io/name: argocd-agent-resource-proxy + app.kubernetes.io/part-of: argocd-agent + app.kubernetes.io/component: resource-proxy + name: argocd-agent-resource-proxy +spec: + ports: + - name: resource-proxy + protocol: TCP + port: 9090 + targetPort: 9090 + selector: + app.kubernetes.io/name: argocd-agent-principal +{{- end }} diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-resource-proxy-tls-secret.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-resource-proxy-tls-secret.yaml new file mode 100644 index 00000000..604a6ea8 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-resource-proxy-tls-secret.yaml @@ -0,0 +1,17 @@ +{{- if .Values.secrets.proxy.tls.create }} +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Values.namespace }} + name: argocd-agent-resource-proxy-tls + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.secrets.proxy.tls.crt | quote }} + tls.key: {{ .Values.secrets.proxy.tls.key | quote }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-role.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-role.yaml new file mode 100644 index 00000000..030ee524 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-role.yaml @@ -0,0 +1,34 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.roleName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - list +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-rolebinding.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-rolebinding.yaml new file mode 100644 index 00000000..ab595df8 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.roleBindingName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "argocd-agent-principal.roleName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "argocd-agent-principal.serviceAccountName" . }} + namespace: {{ .Values.namespace }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-sa.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-sa.yaml new file mode 100644 index 00000000..e1f07142 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-sa.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.serviceAccountName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with include "argocd-agent-principal.annotations" . }} + {{- . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-tls-secret.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-tls-secret.yaml new file mode 100644 index 00000000..b1b9a3e3 --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-tls-secret.yaml @@ -0,0 +1,17 @@ +{{- if .Values.secrets.server.tls.create }} +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Values.namespace }} + name: argocd-agent-principal-tls + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.secrets.server.tls.crt | quote }} + tls.key: {{ .Values.secrets.server.tls.key | quote }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/templates/principal-userpass-secret.yaml b/install/helm-repo/argocd-agent-principal/templates/principal-userpass-secret.yaml new file mode 100644 index 00000000..412c944e --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/templates/principal-userpass-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.secrets.userpass.create }} +apiVersion: v1 +kind: Secret +metadata: + namespace: {{ .Values.namespace }} + name: {{ include "argocd-agent-principal.userpassSecretName" . }} + labels: + {{- include "argocd-agent-principal.labels" . | nindent 4 }} + {{- with include "argocd-agent-principal.annotations" . }} + annotations: + {{- . | nindent 4 }} + {{- end }} +type: Opaque +data: + passwd: {{ .Values.secrets.userpass.passwd | quote }} +{{- end }} \ No newline at end of file diff --git a/install/helm-repo/argocd-agent-principal/values.yaml b/install/helm-repo/argocd-agent-principal/values.yaml new file mode 100644 index 00000000..2b6dd96c --- /dev/null +++ b/install/helm-repo/argocd-agent-principal/values.yaml @@ -0,0 +1,181 @@ +namespace: argocd + +# Image configuration +image: + repository: ghcr.io/argoproj-labs/argocd-agent/argocd-agent + tag: "d7ee8580" # Use specific version instead of latest + pullPolicy: IfNotPresent + +replicaCount: 1 + +resources: + limits: + cpu: 2 + memory: 4Gi + requests: + cpu: 2 + memory: 4Gi + +# Service configuration with LoadBalancer +service: + type: LoadBalancer + port: 443 + targetPort: 8443 + annotations: + networking.gke.io/load-balancer-type: "Internal" + +# Metrics service for monitoring +metricsService: + enabled: true + type: ClusterIP + port: 8000 + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + prometheus.io/path: "/metrics" + +# Health check service +healthzService: + enabled: true + type: ClusterIP + port: 8003 + +# Principal configuration for production +principal: + # Additional arguments apart from default 'principal' command + additionalArgs: [] + # Example: + # additionalArgs: + # - --redis-server-address + # - argocd-argo-cd-redis:6379 + metrics: + port: 8000 + healthz: + port: 8003 + listen: + port: 8443 + # Logging + log: + level: info + + # Namespace configuration + namespace: "argocd" + allowedNamespaces: "argocd,argocd-apps,default" + + # Namespace creation (usually disabled in production) + namespaceCreate: + enable: true + pattern: "-agent" + labels: "managed-by=argocd-agent,environment=production" + + # TLS configuration - secure setup + tls: + secretName: "argocd-agent-principal-tls" + server: + certPath: "" + keyPath: "" + allowGenerate: false # Never allow in production + rootCaSecretName: "argocd-agent-ca" + rootCaPath: "" + clientCert: + require: true # Require client certificates + matchSubject: true # Match subject to agent name + + # Resource proxy configuration + redis: + compressionType: "gzip" + server: + address: "argocd-self-hosted-redis:6379" # Defaults to argocd-redis:6379 if not provided + resourceProxy: + enabled: true + secretName: "argocd-agent-resource-proxy-tls" + tls: + certPath: "" + keyPath: "" + ca: + secretName: "argocd-agent-ca" + path: "" + + # JWT configuration + jwt: + allowGenerate: false # Never allow in production + secretName: "argocd-agent-jwt" + keyPath: "" + + # Authentication - use mTLS in production + auth: "mtls:CN=([^,]+)" + + # Security context for production + securityContext: + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + seccompProfile: + type: RuntimeDefault + + podSecurityContext: + runAsNonRoot: true + runAsUser: 10001 + runAsGroup: 10001 + fsGroup: 10001 + + # Node affinity for production workloads + affinity: {} + + # Tolerations for dedicated nodes + tolerations: {} + + # Node selector for dedicated nodes + nodeSelector: {} + + # Secrets configuration -Use create and base64 encoded values to create k8s secrets + secrets: + ca: + tls: + create: true + key: "BASE_64_ENCODED_KEY" + crt: "BASE_64_ENCODED_CRT" + server: + tls: + create: true + crt: "BASE_64_ENCODED_CRT" + key: "BASE_64_ENCODED_KEY" + proxy: + tls: + create: true # Make false if secrets are created directly in k8s + crt: "BASE_64_ENCODED_CRT" + key: "BASE_64_ENCODED_KEY" + userpass: + create: false # Not used with mTLS + jwt: + create: true # Managed externally + key: "BASE_64_ENCODED_JWT_KEY" + + # RBAC configuration + rbac: + create: true + createClusterRole: true + + # Service account + serviceAccount: + create: true + annotations: {} + # Add any required annotations for IRSA, Workload Identity, etc. + + # Additional labels for compliance/governance + labels: + environment: production + team: platform + app: argocd-agent + version: latest + + # Monitoring annotations + podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" + prometheus.io/path: "/metrics"