Skip to content

feat(argo-cd): Set container security contexts#1579

Merged
pdrastil merged 1 commit intoargoproj:mainfrom
pdrastil:feature/context
Oct 30, 2022
Merged

feat(argo-cd): Set container security contexts#1579
pdrastil merged 1 commit intoargoproj:mainfrom
pdrastil:feature/context

Conversation

@pdrastil
Copy link
Member

@pdrastil pdrastil commented Oct 26, 2022
edited
Loading

Resolves:

Container security context have been placed into same place across all components
Minimum supported version is 1.22 based on https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

  • I have bumped the chart version according to versioning
  • I have updated the documentation according to documentation
  • I have updated the chart changelog with all the changes that come with this pull request according to changelog.
  • Any new values are backwards compatible and/or have sensible default.
  • I have signed off all my commits as required by DCO.
  • My build is green (troubleshooting builds).

Changes are automatically published when merged to main. They are not published on branches.

pdrastil
pdrastil commented Oct 26, 2022
View reviewed changes
charts/argo-cd/Chart.yaml Outdated
Copy link
Member Author

@pdrastil pdrastil Oct 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added info about minimum version of K8s cluster

Copy link
Member

@mkilchhofer mkilchhofer Oct 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm, I am unsure wether we should add this constraint or not. Redis-ha is an optional feature

Copy link
Member Author

@pdrastil pdrastil Oct 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes but seccomp profile is 1.22 feature.

Copy link

@mubarak-j mubarak-j Oct 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will exclude many users like me who don't use redid-ha feature and run k8s 1.21.

Copy link
Member

@mkilchhofer mkilchhofer Oct 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am unsure what path we should follow. Upstream 2.5 manifests (kustomize) also set seccomp and therefore ensures that customers run k8s >= 1.22

Maybe we should follow that also. Otherwise our charts supports a scenario which is not supported from the project itself.

Inside the upstream operator manual from Argo CD, there is a statement, that argo is only supported on supported k8s versions (kubernetes.io, current: 1.25 minus 3 minor versions => 1.22).

Ref:
https://argo-cd.readthedocs.io/en/release-2.5/operator-manual/installation/#supported-versions

Copy link
Member Author

@pdrastil pdrastil Oct 30, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mubarak-j Not really - Azure and GKE already allow 1.22 as a minimum. For AWS the 1.21 EOL is February 2023.

@pdrastil pdrastil force-pushed the feature/context branch 8 times, most recently from d3f091a to 7ce4a06 Compare October 27, 2022 08:06
@pdrastil pdrastil mentioned this pull request Oct 27, 2022
Closed
pdrastil
pdrastil commented Oct 27, 2022
View reviewed changes
charts/argo-cd/values.yaml Outdated
Copy link
Member Author

@pdrastil pdrastil Oct 27, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is available from kubeVersion >= 1.22

@pdrastil pdrastil force-pushed the feature/context branch 3 times, most recently from 0f332c5 to 7d6f24c Compare October 28, 2022 17:10
@pdrastil pdrastil changed the title feat(argo-cd): Enable security contexts feat(argo-cd): Set container security contexts Oct 28, 2022
@pdrastil pdrastil force-pushed the feature/context branch 2 times, most recently from 81e21f9 to 5235652 Compare October 29, 2022 19:31
mkilchhofer
mkilchhofer reviewed Oct 30, 2022
View reviewed changes
@pdrastil pdrastil force-pushed the feature/context branch 2 times, most recently from 4c68e6c to 1530341 Compare October 30, 2022 17:38
@pdrastil pdrastil force-pushed the feature/context branch 4 times, most recently from 8f68d48 to db5e973 Compare October 30, 2022 18:21
mkilchhofer
mkilchhofer approved these changes Oct 30, 2022
View reviewed changes
@pdrastil
feat(argo-cd): Set container security contexts
e4e79b2 
Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
@pdrastil pdrastil merged commit 3d9e2f3 into argoproj:main Oct 30, 2022
@pdrastil pdrastil deleted the feature/context branch October 30, 2022 19:12
This was referenced Oct 30, 2022
Closed
Closed
@hairmare hairmare mentioned this pull request Oct 31, 2022
Merged
6 tasks
@jmeridth jmeridth mentioned this pull request Nov 8, 2022
Closed
@lblackstone lblackstone mentioned this pull request Nov 8, 2022
Closed
@pdrastil pdrastil mentioned this pull request Nov 22, 2022
Closed
ilia-medvedev added a commit to codefresh-io/argo-helm that referenced this pull request Feb 2, 2023
@ilia-medvedev @pdrastil
@horjulf @nxf5025 @ashlineldridge @mkilchhofer @ecimin0 @yu-croco @wd @tvandewalle @EladDolev @maxkochubey @AllexVeldman @emmayylu @yolu-kxs @EugeneLugovtsov @aslafy-z @smcavallo @fengshunli @karlparry @jstewart612
Update chart to 5.16.0 (#5)
9591bf1 
* feat(argo-cd): Upgrade Argo CD to 2.5.0 (argoproj#1568)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* chore(github): Bump GitHub actions versions (argoproj#1575)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* fix(argo-cd): Chart NOTES nil references (argoproj#1582)

Signed-off-by: Filipe Santos <filipe@not.sh>

* docs(argo-cd): Improve documentation (argoproj#1584)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* fix(argo-workflows): serviceaccount rbac when sso is enabled (argoproj#1586)

Signed-off-by: Nick Fisher <nxf5025@gmail.com>

Signed-off-by: Nick Fisher <nxf5025@gmail.com>

* Fix incorrect applicationSet property in README (argoproj#1590)

Based on [here](https://github.com/argoproj/argo-helm/blob/55b8b34d20ebaf38fa05e1113daf30220d11e725/charts/argo-cd/templates/argocd-applicationset/deployment.yaml#L9), I think `replicas` should be `replicaCount` (though `replicas` would be more consistent).

Signed-off-by: Ashlin Eldridge <ashlin.eldridge@gmail.com>

Signed-off-by: Ashlin Eldridge <ashlin.eldridge@gmail.com>

* fix(argo-cd): Remove AWS volume from server (argoproj#1591)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* chore(argo-cd): Cleanup Redis manifest (argoproj#1577)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* fix(argo-cd): Fix migration path for server configs (argoproj#1585)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* fix(argo-cd): Type conversion for ConfigMaps values (argoproj#1594)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* feat(argo-cd): Add probes for ApplicationSet controller (argoproj#1532)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* chore(argo-cd): Remove liveness probe from application controller (argoproj#1581)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* chore(github): Add dependabot.yml (argoproj#1595)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* feat(argo-cd): Set container security contexts (argoproj#1579)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* feat(argo-cd): Support custom TLS certificates for Dex (argoproj#1477)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* feat(argo-cd): Support manually managed TLS certificate for Server (argoproj#1534)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* fix(argo-cd): Don't install CRDs for disabled components (argoproj#1596)

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

* fix(argo-cd): update network policy port name (argoproj#1603)

Signed-off-by: Eric Cimino <ecimino@vailsys.com>

* chore(argo-workflows): Update ArgoWorkflows to v3.4.3 (argoproj#1610)

Signed-off-by: yu-croco <yu.croco@gmail.com>

* fix(argo-cd): Replace coalesce with merge for old config values (argoproj#1612)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* feat(argo-cd): Add revisionHistoryLimit (argoproj#1599)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* Upgrade Argo Image to the latest (argoproj#1614)

Signed-off-by: Dong Wang <wd@wdicc.com>

Signed-off-by: Dong Wang <wd@wdicc.com>

* chore(argo-cd): Update redis-ha (argoproj#1617)

Signed-off-by: yu-croco <yu.croco@gmail.com>

* fix(argo-cd): Add /tmp voulmeMount to extensions container (argoproj#1620)

* Fixes argoproj#1619 - Add /tmp voulmeMount to extensions container

Signed-off-by: Tim Van de Walle <tvandewalle@trek10.com>

* Bump version, add change notes

Signed-off-by: Tim Van de Walle <tvandewalle@trek10.com>

Signed-off-by: Tim Van de Walle <tvandewalle@trek10.com>

* fix(argo-cd): Add missing ClusterRole permissions to argo-cd-server to manage Application in all namespaces (argoproj#1621)

Signed-off-by: Elad Dolev <dolevelad@gmail.com>

* fix(argo-cd): Use Dex non-distroless image (argoproj#1626)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* chore(argo-cd): Upgrade Argo CD to 2.5.2 (argoproj#1628)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* Allow to add custom artifact repository (argoproj#1453)

Signed-off-by: Max Kochubey <20810306+maxkochubey@users.noreply.github.com>

Signed-off-by: Max Kochubey <20810306+maxkochubey@users.noreply.github.com>

* fix(argo-cd): Use raw json for cluster credentials for Vault compatibility (argoproj#1634)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
Co-authored-by: Aikawa <yu.croco@gmail.com>

* fix(argo-cd): Cluster credentials config should be a string (argoproj#1636)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* fix(argo-workflows): Added missing attribute for sso (argoproj#1641)

Signed-off-by: yu-croco <yu.croco@gmail.com>

* docs(argo-cd): Improve changelog information (argoproj#1652)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* chore(argo-cd): Consolidated GnuPG configuration (argoproj#1609)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* fix(argo-cd): Invalid argocd-gpg-keys-cm template (argoproj#1656)

The template removed a little too much whitespace resulting in an invalid ConfigMap.

Error:
```
Error: YAML parse error on argocd/charts/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml: error converting YAML to JSON: yaml: line 10: mapping values are not allowed in this context
```

Signed-off-by: Allex <allexveldman+github@gmail.com>

Signed-off-by: Allex <allexveldman+github@gmail.com>

* feat(argo-workflows): Allow controller to whitelist secrets (argoproj#1646)

* allow users to whitelist secrets

Signed-off-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com>

* remove unnecessary if-statement

Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com>

* use square bracket for array

Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com>

* fix typo and update readme

Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com>

Signed-off-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com>
Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com>
Co-authored-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com>

* feat(argo-workflows): Add labels for ServiceAccounts (argoproj#1665)

* Add labels for ServiceAccounts

Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com>

* fix workflow serviceaccount labels

Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com>

* fix docs

Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com>

Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com>

* fix(argo-cd): deprecate server.extraArgs."--insecure" (argoproj#1669)

Signed-off-by: GitHub <noreply@github.com>

Signed-off-by: GitHub <noreply@github.com>

* chore(argo-workflows): Support workflow retention (argoproj#1668)

Signed-off-by: yu-croco <yu.croco@gmail.com>

* feat(argo-cd): Upgrade argocd to v2.5.3 (argoproj#1671)

Signed-off-by: smcavallo <smcavallo@hotmail.com>

* fix helm install md (argoproj#1672)

Signed-off-by: fsl <1171313930@qq.com>

Signed-off-by: fsl <1171313930@qq.com>

* feat(argo-cd): Add Repo Server strict TLS cert support (argoproj#1673)

Signed-off-by: Karl Parry <karl.parry@imbursepayments.com>

* chore(argo-workflows): Update Argo Workflows to v3.4.4 (argoproj#1674)

Signed-off-by: yu-croco <yu.croco@gmail.com>

* fix(argo-cd): Rename tls secret to include the -secret suffix (argoproj#1676)

- "[Fixed]: TLS secret name so Dex correctly generates the checksum for argocd-dex-server-tls."
- "[Fixed]: Standardise the naming convention of the TLS secret manifests."
- "[Added]: Add checksum to Repo-Server for the argocd-repo-server-tls secret."

Signed-off-by: Karl Parry <karl.parry@imbursepayments.com>

* chore(argo-cd): Remove duplicate ApplicationSet features (argoproj#1598)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

* feat(argo-cd): Add ability to annotate Deployments and StatefulSets (argoproj#1608)

* feat(argo-cd): Add ability to annotate Deployments and StatefulSets

Signed-off-by: John Stewart <jstewart@rentpath.com>

* fix: Controller and AppSet controller was mixed

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

Signed-off-by: John Stewart <jstewart@rentpath.com>
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>

* chart update WIP

* backport applicationset

* backport applicationset

* argocd 2.5.5

---------

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>
Signed-off-by: Filipe Santos <filipe@not.sh>
Signed-off-by: Nick Fisher <nxf5025@gmail.com>
Signed-off-by: Ashlin Eldridge <ashlin.eldridge@gmail.com>
Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Signed-off-by: Eric Cimino <ecimino@vailsys.com>
Signed-off-by: yu-croco <yu.croco@gmail.com>
Signed-off-by: Dong Wang <wd@wdicc.com>
Signed-off-by: Tim Van de Walle <tvandewalle@trek10.com>
Signed-off-by: Elad Dolev <dolevelad@gmail.com>
Signed-off-by: Max Kochubey <20810306+maxkochubey@users.noreply.github.com>
Signed-off-by: Allex <allexveldman+github@gmail.com>
Signed-off-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com>
Signed-off-by: emmayylu <44856279+emmayylu@users.noreply.github.com>
Signed-off-by: Eugene Lugovtsov <lug.zhenia@gmail.com>
Signed-off-by: GitHub <noreply@github.com>
Signed-off-by: smcavallo <smcavallo@hotmail.com>
Signed-off-by: fsl <1171313930@qq.com>
Signed-off-by: Karl Parry <karl.parry@imbursepayments.com>
Signed-off-by: John Stewart <jstewart@rentpath.com>
Co-authored-by: Petr Drastil <petr.drastil@gmail.com>
Co-authored-by: Filipe <filipe@not.sh>
Co-authored-by: Nick Fisher <nxf5025@gmail.com>
Co-authored-by: Ashlin Eldridge <ashlin.eldridge@gmail.com>
Co-authored-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Co-authored-by: Eric Cimino <58572548+cimin0@users.noreply.github.com>
Co-authored-by: Aikawa <yu.croco@gmail.com>
Co-authored-by: Dong Wang <wd@wdicc.com>
Co-authored-by: tvandewalle <1022306+tvandewalle@users.noreply.github.com>
Co-authored-by: Elad Dolev <dolevelad@gmail.com>
Co-authored-by: Max Kochubey <20810306+maxkochubey@users.noreply.github.com>
Co-authored-by: Allex <a.veldman@chain-stock.com>
Co-authored-by: emmayylu <44856279+emmayylu@users.noreply.github.com>
Co-authored-by: emmayylu <84873428+yolu-kxs@users.noreply.github.com>
Co-authored-by: Eugene Lugovtsov <34510252+EugeneLugovtsov@users.noreply.github.com>
Co-authored-by: Zadkiel Aharonian <zadkiel.aharonian@gmail.com>
Co-authored-by: smcavallo <smcavallo@users.noreply.github.com>
Co-authored-by: fsl <1171313930@qq.com>
Co-authored-by: Karl Parry <88431088+karlparry@users.noreply.github.com>
Co-authored-by: John Stewart <32647598+jstewart612@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkilchhofer mkilchhofer mkilchhofer approved these changes

@davidkarlsen davidkarlsen Awaiting requested review from davidkarlsen

@radiomistress radiomistress Awaiting requested review from radiomistress

@yann-soubeyrand yann-soubeyrand Awaiting requested review from yann-soubeyrand

@mbevc1 mbevc1 Awaiting requested review from mbevc1 mbevc1 is a code owner

@yu-croco yu-croco Awaiting requested review from yu-croco yu-croco is a code owner

@jmeridth jmeridth Awaiting requested review from jmeridth jmeridth is a code owner

+1 more reviewer

@mubarak-j mubarak-j mubarak-j left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

argo-cd size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pdrastil @mkilchhofer @mubarak-j