iskm/maabara
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

manifests -> helm charts for argocd

Browse Source
This commit is contained in:
Ibrahim Mkusa 2024-12-31 23:04:39 -05:00
parent 6921862a3c
commit be9b3994a7
157 changed files with 21875 additions and 8258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/argo-cd/.helmignore Normal file
View File

@ -0,0 +1,4 @@
/*.tgz
output
ci/
*.gotmpl

6
manifests/argo-cd/Chart.lock Normal file
View File

@ -0,0 +1,6 @@
dependencies:
- name: redis-ha
repository: https://dandydeveloper.github.io/charts/
version: 4.29.4
digest: sha256:1257baf1c5e0db036af659d44095223e28ac0c9ec1ed8300a02d5def2281c9c7
generated: "2024-11-13T09:07:36.494128+09:00"

31
manifests/argo-cd/Chart.yaml Normal file
View File

@ -0,0 +1,31 @@
annotations:
artifacthub.io/changes: |
- kind: added
description: Added functionality to en/disable argocd-ssh-known-hosts-cm
artifacthub.io/signKey: |
fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
url: https://argoproj.github.io/argo-helm/pgp_keys.asc
apiVersion: v2
appVersion: v2.13.2
dependencies:
- condition: redis-ha.enabled
name: redis-ha
repository: https://dandydeveloper.github.io/charts/
version: 4.29.4
description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool
for Kubernetes.
home: https://github.com/argoproj/argo-helm
icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
keywords:
- argoproj
- argocd
- gitops
kubeVersion: '>=1.25.0-0'
maintainers:
- name: argoproj
url: https://argoproj.github.io/
name: argo-cd
sources:
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
- https://github.com/argoproj/argo-cd
version: 7.7.11

1653
manifests/argo-cd/README.md Normal file
View File

File diff suppressed because it is too large Load Diff

25
manifests/argo-cd/charts/redis-ha/.helmignore Normal file
View File

@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
ci/
*.gotmpl

21
manifests/argo-cd/charts/redis-ha/Chart.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: v2
appVersion: 7.2.4
description: This Helm chart provides a highly available Redis implementation with
a master/slave configuration and uses Sentinel sidecars for failover management
home: http://redis.io/
icon: https://upload.wikimedia.org/wikipedia/en/thumb/6/6b/Redis_Logo.svg/1200px-Redis_Logo.svg.png
keywords:
- redis
- keyvalue
- database
maintainers:
- email: salimsalaues@gmail.com
name: ssalaues
- email: aaron.layfield@gmail.com
name: dandydeveloper
name: redis-ha
sources:
- https://redis.io/download
- https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha
- https://github.com/oliver006/redis_exporter
version: 4.29.4

485
manifests/argo-cd/charts/redis-ha/README.md Normal file
View File

@ -0,0 +1,485 @@
# Redis
[Redis](http://redis.io/) is an advanced key-value cache and store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets, sorted sets, bitmaps and hyperloglogs.
## TL;DR
```bash
helm repo add dandydev https://dandydeveloper.github.io/charts
helm install dandydev/redis-ha
```
By default this chart install 3 pods total:
* one pod containing a redis master and sentinel container (optional prometheus metrics exporter sidecar available)
* two pods each containing a redis slave and sentinel containers (optional prometheus metrics exporter sidecars available)
## Introduction
This chart bootstraps a [Redis](https://redis.io) highly available master/slave statefulset in a [Kubernetes](http://kubernetes.io) cluster using the Helm package manager.
## Prerequisites
* Kubernetes 1.8+ with Beta APIs enabled
* PV provisioner support in the underlying infrastructure
## Upgrading the Chart
Please note that there have been a number of changes simplifying the redis management strategy (for better failover and elections) in the 3.x version of this chart. These changes allow the use of official [redis](https://hub.docker.com/_/redis/) images that do not require special RBAC or ServiceAccount roles. As a result when upgrading from version >=2.0.1 to >=3.0.0 of this chart, `Role`, `RoleBinding`, and `ServiceAccount` resources should be deleted manually.
### Upgrading the chart from 3.x to 4.x
Starting from version `4.x` HAProxy sidecar prometheus-exporter removed and replaced by the embedded [HAProxy metrics endpoint](https://github.com/haproxy/haproxy/tree/master/contrib/prometheus-exporter), as a result when upgrading from version 3.x to 4.x section `haproxy.exporter` should be removed and the `haproxy.metrics` need to be configured for fit your needs.
## Installing the Chart
To install the chart
```bash
helm repo add dandydev https://dandydeveloper.github.io/charts
helm install dandydev/redis-ha
```
The command deploys Redis on the Kubernetes cluster in the default configuration. By default this chart install one master pod containing redis master container and sentinel container along with 2 redis slave pods each containing their own sentinel sidecars. The [configuration](#configuration) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the deployment:
```bash
helm delete <chart-name>
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
The following table lists the configurable parameters of the Redis chart and their default values.
### General parameters
| Parameter | Description | Type | Default |
|-----|------|---------|-------------|
| `additionalAffinities` | Additional affinities to add to the Redis server pods. # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity | object | `{}` |
| `affinity` | Override all other affinity settings for the Redis server pods with a string. | string | `""` |
| `auth` | Configures redis with AUTH (requirepass & masterauth conf params) | bool | `false` |
| `authKey` | Defines the key holding the redis password in existing secret. | string | `"auth"` |
| `configmap.labels` | Custom labels for the redis configmap | object | `{}` |
| `configmapTest.image` | Image for redis-ha-configmap-test hook | object | `{"repository":"koalaman/shellcheck","tag":"v0.5.0"}` |
| `configmapTest.image.repository` | Repository of the configmap shellcheck test image. | string | `"koalaman/shellcheck"` |
| `configmapTest.image.tag` | Tag of the configmap shellcheck test image. | string | `"v0.5.0"` |
| `configmapTest.resources` | Resources for the ConfigMap test pod | object | `{}` |
| `containerSecurityContext` | Security context to be added to the Redis containers. | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}}` |
| `emptyDir` | Configuration of `emptyDir`, used only if persistentVolume is disabled and no hostPath specified | object | `{}` |
| `existingSecret` | An existing secret containing a key defined by `authKey` that configures `requirepass` and `masterauth` in the conf parameters (Requires `auth: enabled`, cannot be used in conjunction with `.Values.redisPassword`) | string | `nil` |
| `extraContainers` | Extra containers to include in StatefulSet | list | `[]` |
| `extraInitContainers` | Extra init containers to include in StatefulSet | list | `[]` |
| `extraLabels` | Labels added here are applied to all created resources | object | `{}` |
| `extraVolumes` | Extra volumes to include in StatefulSet | list | `[]` |
| `fullNameOverride` | Full name of the Redis HA Resources | string | `""` |
| `global.compatibility` | Openshift compatibility options | object | `{"openshift":{"adaptSecurityContext":"auto"}}` |
| `global.priorityClassName` | Default priority class for all components | string | `""` |
| `hardAntiAffinity` | Whether the Redis server pods should be forced to run on separate nodes. # This is accomplished by setting their AntiAffinity with requiredDuringSchedulingIgnoredDuringExecution as opposed to preferred. # Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity-beta-feature | bool | `true` |
| `hostPath.chown` | if chown is true, an init-container with root permissions is launched to change the owner of the hostPath folder to the user defined in the security context | bool | `true` |
| `hostPath.path` | Use this path on the host for data storage. path is evaluated as template so placeholders are replaced | string | `""` |
| `image.pullPolicy` | Redis image pull policy | string | `"IfNotPresent"` |
| `image.repository` | Redis image repository | string | `"public.ecr.aws/docker/library/redis"` |
| `image.tag` | Redis image tag | string | `"7.2.4-alpine"` |
| `imagePullSecrets` | Reference to one or more secrets to be used when pulling redis images | list | `[]` |
| `init.resources` | Extra init resources | object | `{}` |
| `labels` | Custom labels for the redis pod | object | `{}` |
| `nameOverride` | Name override for Redis HA resources | string | `""` |
| `networkPolicy.annotations` | Annotations for NetworkPolicy | object | `{}` |
| `networkPolicy.egressRules` | user can define egress rules too, uses the same structure as ingressRules | list | `[{"ports":[{"port":53,"protocol":"UDP"},{"port":53,"protocol":"TCP"}],"selectors":[{"namespaceSelector":{}},{"ipBlock":{"cidr":"169.254.0.0/16"}}]}]` |
| `networkPolicy.egressRules[0].selectors[0]` | Allow all destinations for DNS traffic | object | `{"namespaceSelector":{}}` |
| `networkPolicy.enabled` | whether NetworkPolicy for Redis StatefulSets should be created. when enabled, inter-Redis connectivity is created | bool | `false` |
| `networkPolicy.ingressRules` | User defined ingress rules that Redis should permit into. Uses the format defined in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors | list | `[]` |
| `networkPolicy.labels` | Labels for NetworkPolicy | object | `{}` |
| `nodeSelector` | Node labels for pod assignment | object | `{}` |
| `persistentVolume.accessModes` | Persistent volume access modes | list | `["ReadWriteOnce"]` |
| `persistentVolume.annotations` | Annotations for the volume | object | `{}` |
| `persistentVolume.enabled` | Enable persistent volume | bool | `true` |
| `persistentVolume.labels` | Labels for the volume | object | `{}` |
| `persistentVolume.size` | Persistent volume size | string | `"10Gi"` |
| `persistentVolume.storageClass` | redis-ha data Persistent Volume Storage Class | string | `nil` |
| `podDisruptionBudget` | Pod Disruption Budget rules | object | `{}` |
| `podManagementPolicy` | The statefulset pod management policy | string | `"OrderedReady"` |
| `priorityClassName` | Kubernetes priorityClass name for the redis-ha-server pod | string | `""` |
| `rbac.create` | Create and use RBAC resources | bool | `true` |
| `redis.annotations` | Annotations for the redis statefulset | object | `{}` |
| `redis.authClients` | It is possible to disable client side certificates authentication when "authClients" is set to "no" | string | `""` |
| `redis.config` | Any valid redis config options in this section will be applied to each server, For multi-value configs use list instead of string (for example loadmodule) (see below) | object | see values.yaml |
| `redis.config.maxmemory` | Max memory to use for each redis instance. Default is unlimited. | string | `"0"` |
| `redis.config.maxmemory-policy` | Max memory policy to use for each redis instance. Default is volatile-lru. | string | `"volatile-lru"` |
| `redis.config.min-replicas-max-lag` | Value in seconds | int | `5` |
| `redis.config.repl-diskless-sync` | When enabled, directly sends the RDB over the wire to slaves, without using the disk as intermediate storage. Default is false. | string | `"yes"` |
| `redis.config.save` | Please note that local (on-disk) RDBs will still be created when re-syncing with a new slave. The only way to prevent this is to enable diskless replication. | string | `"900 1"` |
| `redis.customArgs` | Allows overriding the redis container arguments | list | `[]` |
| `redis.customCommand` | Allows overriding the redis container command | list | `[]` |
| `redis.customConfig` | Allows for custom redis.conf files to be applied. If this is used then `redis.config` is ignored | string | `nil` |
| `redis.disableCommands` | Array with commands to disable | list | `["FLUSHDB","FLUSHALL"]` |
| `redis.envFrom` | Load environment variables from ConfigMap/Secret | list | `[]` |
| `redis.extraVolumeMounts` | additional volumeMounts for Redis container | list | `[]` |
| `redis.lifecycle` | Container Lifecycle Hooks for redis container Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ | object | see values.yaml |
| `redis.livenessProbe` | Liveness probe parameters for redis container | object | `{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15}` |
| `redis.livenessProbe.enabled` | Enable the Liveness Probe | bool | `true` |
| `redis.livenessProbe.failureThreshold` | Failure threshold for liveness probe | int | `5` |
| `redis.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe | int | `30` |
| `redis.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | int | `15` |
| `redis.livenessProbe.successThreshold` | Success threshold for liveness probe | int | `1` |
| `redis.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | int | `15` |
| `redis.masterGroupName` | Redis convention for naming the cluster group: must match `^[\\w-\\.]+$` and can be templated | string | `"mymaster"` |
| `redis.port` | Port to access the redis service | int | `6379` |
| `redis.readinessProbe` | Readiness probe parameters for redis container | object | `{"enabled":true,"failureThreshold":5,"initialDelaySeconds":30,"periodSeconds":15,"successThreshold":1,"timeoutSeconds":15}` |
| `redis.readinessProbe.enabled` | Enable the Readiness Probe | bool | `true` |
| `redis.readinessProbe.failureThreshold` | Failure threshold for readiness probe | int | `5` |
| `redis.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe | int | `30` |
| `redis.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | int | `15` |
| `redis.readinessProbe.successThreshold` | Success threshold for readiness probe | int | `1` |
| `redis.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe | int | `15` |
| `redis.resources` | CPU/Memory for master/slave nodes resource requests/limits | object | `{}` |
| `redis.startupProbe` | Startup probe parameters for redis container | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":15}` |
| `redis.startupProbe.enabled` | Enable Startup Probe | bool | `true` |
| `redis.startupProbe.failureThreshold` | Failure threshold for startup probe | int | `3` |
| `redis.startupProbe.initialDelaySeconds` | Initial delay in seconds for startup probe | int | `5` |
| `redis.startupProbe.periodSeconds` | Period in seconds after which startup probe will be repeated | int | `10` |
| `redis.startupProbe.successThreshold` | Success threshold for startup probe | int | `1` |
| `redis.startupProbe.timeoutSeconds` | Timeout seconds for startup probe | int | `15` |
| `redis.terminationGracePeriodSeconds` | Increase terminationGracePeriodSeconds to allow writing large RDB snapshots. (k8s default is 30s) ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination-forced | int | `60` |
| `redis.tlsPort` | TLS Port to access the redis service | int | `nil` |
| `redis.tlsReplication` | Configures redis with tls-replication parameter, if true sets "tls-replication yes" in redis.conf | bool | `nil` |
| `redis.updateStrategy` | Update strategy for Redis StatefulSet # ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies | object | `{"type":"RollingUpdate"}` |
| `redisPassword` | A password that configures a `requirepass` and `masterauth` in the conf parameters (Requires `auth: enabled`) | string | `nil` |
| `replicas` | Number of redis master/slave | int | `3` |
| `restore.existingSecret` | Set existingSecret to true to use secret specified in existingSecret above | bool | `false` |
| `restore.s3.access_key` | Restore init container - AWS AWS_ACCESS_KEY_ID to access restore.s3.source | string | `""` |
| `restore.s3.region` | Restore init container - AWS AWS_REGION to access restore.s3.source | string | `""` |
| `restore.s3.secret_key` | Restore init container - AWS AWS_SECRET_ACCESS_KEY to access restore.s3.source | string | `""` |
| `restore.s3.source` | Restore init container - AWS S3 location of dump - i.e. s3://bucket/dump.rdb or false | string | `""` |
| `restore.ssh.key` | Restore init container - SSH private key to scp restore.ssh.source to init container. Key should be in one line separated with \n. i.e. `-----BEGIN RSA PRIVATE KEY-----\n...\n...\n-----END RSA PRIVATE KEY-----` | string | `""` |
| `restore.ssh.source` | Restore init container - SSH scp location of dump - i.e. user@server:/path/dump.rdb or false | string | `""` |
| `restore.timeout` | Timeout for the restore | int | `600` |
| `ro_replicas` | Comma separated list of slaves which never get promoted to be master. Count starts with 0. Allowed values 1-9. i.e. 3,4 - 3th and 4th redis slave never make it to be master, where master is index 0. | string | `""` |
| `schedulerName` | Use an alternate scheduler, e.g. "stork". ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ | string | `""` |
| `securityContext` | Security context to be added to the Redis StatefulSet. | object | `{"fsGroup":1000,"runAsNonRoot":true,"runAsUser":1000}` |
| `serviceAccount.annotations` | Annotations to be added to the service account for the redis statefulset | object | `{}` |
| `serviceAccount.automountToken` | opt in/out of automounting API credentials into container. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ | bool | `false` |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | bool | `true` |
| `serviceAccount.name` | The name of the ServiceAccount to use. If not set and create is true, a name is generated using the redis-ha.fullname template | string | `""` |
| `serviceLabels` | Custom labels for redis service | object | `{}` |
| `splitBrainDetection.interval` | Interval between redis sentinel and server split brain checks (in seconds) | int | `60` |
| `splitBrainDetection.resources` | splitBrainDetection resources | object | `{}` |
| `sysctlImage.command` | sysctlImage command to execute | list | `[]` |
| `sysctlImage.enabled` | Enable an init container to modify Kernel settings | bool | `false` |
| `sysctlImage.mountHostSys` | Mount the host `/sys` folder to `/host-sys` | bool | `false` |
| `sysctlImage.pullPolicy` | sysctlImage Init container pull policy | string | `"Always"` |
| `sysctlImage.registry` | sysctlImage Init container registry | string | `"public.ecr.aws/docker/library"` |
| `sysctlImage.repository` | sysctlImage Init container name | string | `"busybox"` |
| `sysctlImage.resources` | sysctlImage resources | object | `{}` |
| `sysctlImage.tag` | sysctlImage Init container tag | string | `"1.34.1"` |
| `tls.caCertFile` | Name of CA certificate file | string | `"ca.crt"` |
| `tls.certFile` | Name of certificate file | string | `"redis.crt"` |
| `tls.dhParamsFile` | Name of Diffie-Hellman (DH) key exchange parameters file (Example: redis.dh) | string | `nil` |
| `tls.keyFile` | Name of key file | string | `"redis.key"` |
| `topologySpreadConstraints.enabled` | Enable topology spread constraints | bool | `false` |
| `topologySpreadConstraints.maxSkew` | Max skew of pods tolerated | string | `""` |
| `topologySpreadConstraints.topologyKey` | Topology key for spread constraints | string | `""` |
| `topologySpreadConstraints.whenUnsatisfiable` | Enforcement policy, hard or soft | string | `""` |
### Redis Sentinel parameters
| Parameter | Description | Type | Default |
|-----|------|---------|-------------|
| `sentinel.auth` | Enables or disables sentinel AUTH (Requires `sentinel.password` to be set) | bool | `false` |
| `sentinel.authClients` | It is possible to disable client side certificates authentication when "authClients" is set to "no" | string | `""` |
| `sentinel.authKey` | The key holding the sentinel password in an existing secret. | string | `"sentinel-password"` |
| `sentinel.config` | Valid sentinel config options in this section will be applied as config options to each sentinel (see below) | object | see values.yaml |
| `sentinel.customArgs` | | list | `[]` |
| `sentinel.customCommand` | | list | `[]` |
| `sentinel.customConfig` | Allows for custom sentinel.conf files to be applied. If this is used then `sentinel.config` is ignored | string | `""` |
| `sentinel.existingSecret` | An existing secret containing a key defined by `sentinel.authKey` that configures `requirepass` in the conf parameters (Requires `sentinel.auth: enabled`, cannot be used in conjunction with `.Values.sentinel.password`) | string | `""` |
| `sentinel.extraVolumeMounts` | additional volumeMounts for Sentinel container | list | `[]` |
| `sentinel.lifecycle` | Container Lifecycle Hooks for sentinel container. Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ | object | `{}` |
| `sentinel.livenessProbe.enabled` | | bool | `true` |
| `sentinel.livenessProbe.failureThreshold` | Failure threshold for liveness probe | int | `5` |
| `sentinel.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe | int | `30` |
| `sentinel.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | int | `15` |
| `sentinel.livenessProbe.successThreshold` | Success threshold for liveness probe | int | `1` |
| `sentinel.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe | int | `15` |
| `sentinel.password` | A password that configures a `requirepass` in the conf parameters (Requires `sentinel.auth: enabled`) | string | `nil` |
| `sentinel.port` | Port to access the sentinel service | int | `26379` |
| `sentinel.quorum` | Minimum number of nodes expected to be live. | int | `2` |
| `sentinel.readinessProbe.enabled` | | bool | `true` |
| `sentinel.readinessProbe.failureThreshold` | Failure threshold for readiness probe | int | `5` |
| `sentinel.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe | int | `30` |
| `sentinel.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | int | `15` |
| `sentinel.readinessProbe.successThreshold` | Success threshold for readiness probe | int | `3` |
| `sentinel.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe | int | `15` |
| `sentinel.resources` | CPU/Memory for sentinel node resource requests/limits | object | `{}` |
| `sentinel.startupProbe` | Startup probe parameters for redis container | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":5,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":15}` |
| `sentinel.startupProbe.enabled` | Enable Startup Probe | bool | `true` |
| `sentinel.startupProbe.failureThreshold` | Failure threshold for startup probe | int | `3` |
| `sentinel.startupProbe.initialDelaySeconds` | Initial delay in seconds for startup probe | int | `5` |
| `sentinel.startupProbe.periodSeconds` | Period in seconds after which startup probe will be repeated | int | `10` |
| `sentinel.startupProbe.successThreshold` | Success threshold for startup probe | int | `1` |
| `sentinel.startupProbe.timeoutSeconds` | Timeout seconds for startup probe | int | `15` |
| `sentinel.tlsPort` | TLS Port to access the sentinel service | int | `nil` |
| `sentinel.tlsReplication` | Configures sentinel with tls-replication parameter, if true sets "tls-replication yes" in sentinel.conf | bool | `nil` |
### HAProxy parameters
| Parameter | Description | Type | Default |
|-----|------|---------|-------------|
| `haproxy.IPv6.enabled` | Enable HAProxy parameters to bind and consume IPv6 addresses. Enabled by default. | bool | `true` |
| `haproxy.additionalAffinities` | Additional affinities to add to the haproxy pods. | object | `{}` |
| `haproxy.affinity` | Override all other affinity settings for the haproxy pods with a string. | string | `""` |
| `haproxy.annotations` | HAProxy template annotations | object | `{}` |
| `haproxy.checkFall` | haproxy.cfg `check fall` setting | int | `1` |
| `haproxy.checkInterval` | haproxy.cfg `check inter` setting | string | `"1s"` |
| `haproxy.containerPort` | Modify HAProxy deployment container port | int | `6379` |
| `haproxy.containerSecurityContext` | Security context to be added to the HAProxy containers. | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` |
| `haproxy.customConfig` | Allows for custom config-haproxy.cfg file to be applied. If this is used then default config will be overwriten | string | `nil` |
| `haproxy.deploymentStrategy` | Deployment strategy for the haproxy deployment | object | `{"type":"RollingUpdate"}` |
| `haproxy.emptyDir` | Configuration of `emptyDir` | object | `{}` |
| `haproxy.enabled` | Enabled HAProxy LoadBalancing/Proxy | bool | `false` |
| `haproxy.extraConfig` | Allows to place any additional configuration section to add to the default config-haproxy.cfg | string | `nil` |
| `haproxy.hardAntiAffinity` | Whether the haproxy pods should be forced to run on separate nodes. | bool | `true` |
| `haproxy.image.pullPolicy` | HAProxy Image PullPolicy | string | `"IfNotPresent"` |
| `haproxy.image.repository` | HAProxy Image Repository | string | `"public.ecr.aws/docker/library/haproxy"` |
| `haproxy.image.tag` | HAProxy Image Tag | string | `"2.9.4-alpine"` |
| `haproxy.imagePullSecrets` | Reference to one or more secrets to be used when pulling images ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | list | `[]` |
| `haproxy.init.resources` | Extra init resources | object | `{}` |
| `haproxy.labels` | Custom labels for the haproxy pod | object | `{}` |
| `haproxy.lifecycle` | Container lifecycle hooks. Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ | object | `{}` |
| `haproxy.metrics.enabled` | HAProxy enable prometheus metric scraping | bool | `false` |
| `haproxy.metrics.port` | HAProxy prometheus metrics scraping port | int | `9101` |
| `haproxy.metrics.portName` | HAProxy metrics scraping port name | string | `"http-exporter-port"` |
| `haproxy.metrics.scrapePath` | HAProxy prometheus metrics scraping path | string | `"/metrics"` |
| `haproxy.metrics.serviceMonitor.disableAPICheck` | Disable API Check on ServiceMonitor | bool | `false` |
| `haproxy.metrics.serviceMonitor.enabled` | When set true then use a ServiceMonitor to configure scraping | bool | `false` |
| `haproxy.metrics.serviceMonitor.endpointAdditionalProperties` | Set additional properties for the ServiceMonitor endpoints such as relabeling, scrapeTimeout, tlsConfig, and more. | object | `{}` |
| `haproxy.metrics.serviceMonitor.interval` | Set how frequently Prometheus should scrape (default is 30s) | string | `""` |
| `haproxy.metrics.serviceMonitor.labels` | Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator | object | `{}` |
| `haproxy.metrics.serviceMonitor.namespace` | Set the namespace the ServiceMonitor should be deployed | string | `.Release.Namespace` |
| `haproxy.metrics.serviceMonitor.telemetryPath` | Set path to redis-exporter telemtery-path (default is /metrics) | string | `""` |
| `haproxy.metrics.serviceMonitor.timeout` | Set timeout for scrape (default is 10s) | string | `""` |
| `haproxy.networkPolicy.annotations` | Annotations for Haproxy NetworkPolicy | object | `{}` |
| `haproxy.networkPolicy.egressRules` | user can define egress rules too, uses the same structure as ingressRules | list | `[]` |
| `haproxy.networkPolicy.enabled` | whether NetworkPolicy for Haproxy should be created | bool | `false` |
| `haproxy.networkPolicy.ingressRules` | user defined ingress rules that Haproxy should permit into. uses the format defined in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors | list | `[]` |
| `haproxy.networkPolicy.labels` | Labels for Haproxy NetworkPolicy | object | `{}` |
| `haproxy.podDisruptionBudget` | Pod Disruption Budget ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ | object | `{}` |
| `haproxy.priorityClassName` | Kubernetes priorityClass name for the haproxy pod | string | `""` |
| `haproxy.readOnly` | Enable read-only redis-slaves | object | `{"enabled":false,"port":6380}` |
| `haproxy.readOnly.enabled` | Enable if you want a dedicated port in haproxy for redis-slaves | bool | `false` |
| `haproxy.readOnly.port` | Port for the read-only redis-slaves | int | `6380` |
| `haproxy.replicas` | Number of HAProxy instances | int | `3` |
| `haproxy.resources` | HAProxy resources | object | `{}` |
| `haproxy.securityContext` | Security context to be added to the HAProxy deployment. | object | `{"fsGroup":99,"runAsNonRoot":true,"runAsUser":99}` |
| `haproxy.service.annotations` | HAProxy service annotations | string | `nil` |
| `haproxy.service.externalIPs` | HAProxy external IPs | object | `{}` |
| `haproxy.service.externalTrafficPolicy` | HAProxy service externalTrafficPolicy value (haproxy.service.type must be LoadBalancer) | string | `nil` |
| `haproxy.service.labels` | HAProxy service labels | object | `{}` |
| `haproxy.service.loadBalancerIP` | HAProxy service loadbalancer IP | string | `nil` |
| `haproxy.service.loadBalancerSourceRanges` | List of CIDR's allowed to connect to LoadBalancer | list | `[]` |
| `haproxy.service.nodePort` | HAProxy service nodePort value (haproxy.service.type must be NodePort) | int | `nil` |
| `haproxy.service.type` | HAProxy service type "ClusterIP", "LoadBalancer" or "NodePort" | string | `"ClusterIP"` |
| `haproxy.serviceAccount.automountToken` | | bool | `false` |
| `haproxy.serviceAccount.create` | Specifies whether a ServiceAccount should be created | bool | `true` |
| `haproxy.serviceAccountName` | HAProxy serviceAccountName | string | `"redis-sa"` |
| `haproxy.servicePort` | Modify HAProxy service port | int | `6379` |
| `haproxy.stickyBalancing` | HAProxy sticky load balancing to Redis nodes. Helps with connections shutdown. | bool | `false` |
| `haproxy.tests.resources` | Pod resources for the tests against HAProxy. | object | `{}` |
| `haproxy.timeout.check` | haproxy.cfg `timeout check` setting | string | `"2s"` |
| `haproxy.timeout.client` | haproxy.cfg `timeout client` setting | string | `"330s"` |
| `haproxy.timeout.connect` | haproxy.cfg `timeout connect` setting | string | `"4s"` |
| `haproxy.timeout.server` | haproxy.cfg `timeout server` setting | string | `"330s"` |
| `haproxy.tls` | Enable TLS termination on HAproxy, This will create a volume mount | object | `{"certMountPath":"/tmp/","enabled":false,"keyName":null,"secretName":""}` |
| `haproxy.tls.certMountPath` | Path to mount the secret that contains the certificates. haproxy | string | `"/tmp/"` |
| `haproxy.tls.enabled` | If "true" this will enable TLS termination on haproxy | bool | `false` |
| `haproxy.tls.keyName` | Key file name | string | `nil` |
| `haproxy.tls.secretName` | Secret containing the .pem file | string | `""` |
### Prometheus exporter parameters
| Parameter | Description | Type | Default |
|-----|------|---------|-------------|
| `exporter.address` | Address/Host for Redis instance. Exists to circumvent issues with IPv6 dns resolution that occurs on certain environments | string | `"localhost"` |
| `exporter.enabled` | If `true`, the prometheus exporter sidecar is enabled | bool | `false` |
| `exporter.extraArgs` | Additional args for redis exporter | object | `{}` |
| `exporter.image` | Exporter image | string | `"oliver006/redis_exporter"` |
| `exporter.livenessProbe.httpGet.path` | Exporter liveness probe httpGet path | string | `"/metrics"` |
| `exporter.livenessProbe.httpGet.port` | Exporter liveness probe httpGet port | int | `9121` |
| `exporter.livenessProbe.initialDelaySeconds` | Initial delay in seconds for liveness probe of exporter | int | `15` |
| `exporter.livenessProbe.periodSeconds` | Period in seconds after which liveness probe will be repeated | int | `15` |
| `exporter.livenessProbe.timeoutSeconds` | Timeout seconds for liveness probe of exporter | int | `3` |
| `exporter.port` | Exporter port | int | `9121` |
| `exporter.portName` | Exporter port name | string | `"exporter-port"` |
| `exporter.pullPolicy` | Exporter image pullPolicy | string | `"IfNotPresent"` |
| `exporter.readinessProbe.httpGet.path` | Exporter readiness probe httpGet path | string | `"/metrics"` |
| `exporter.readinessProbe.httpGet.port` | Exporter readiness probe httpGet port | int | `9121` |
| `exporter.readinessProbe.initialDelaySeconds` | Initial delay in seconds for readiness probe of exporter | int | `15` |
| `exporter.readinessProbe.periodSeconds` | Period in seconds after which readiness probe will be repeated | int | `15` |
| `exporter.readinessProbe.successThreshold` | Success threshold for readiness probe of exporter | int | `2` |
| `exporter.readinessProbe.timeoutSeconds` | Timeout seconds for readiness probe of exporter | int | `3` |
| `exporter.resources` | cpu/memory resource limits/requests | object | `{}` |
| `exporter.scrapePath` | Exporter scrape path | string | `"/metrics"` |
| `exporter.script` | A custom custom Lua script that will be mounted to exporter for collection of custom metrics. Creates a ConfigMap and sets env var `REDIS_EXPORTER_SCRIPT`. | string | `""` |
| `exporter.serviceMonitor.disableAPICheck` | Disable API Check on ServiceMonitor | bool | `false` |
| `exporter.serviceMonitor.enabled` | When set true then use a ServiceMonitor to configure scraping | bool | `false` |
| `exporter.serviceMonitor.endpointAdditionalProperties` | Set additional properties for the ServiceMonitor endpoints such as relabeling, scrapeTimeout, tlsConfig, and more. | object | `{}` |
| `exporter.serviceMonitor.interval` | Set how frequently Prometheus should scrape (default is 30s) | string | `""` |
| `exporter.serviceMonitor.labels` | Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator | object | `{}` |
| `exporter.serviceMonitor.namespace` | Set the namespace the ServiceMonitor should be deployed | string | `.Release.Namespace` |
| `exporter.serviceMonitor.telemetryPath` | Set path to redis-exporter telemtery-path (default is /metrics) | string | `""` |
| `exporter.serviceMonitor.timeout` | Set timeout for scrape (default is 10s) | string | `""` |
| `exporter.tag` | Exporter image tag | string | `"v1.57.0"` |
| `prometheusRule.additionalLabels` | Additional labels to be set in metadata. | object | `{}` |
| `prometheusRule.enabled` | If true, creates a Prometheus Operator PrometheusRule. | bool | `false` |
| `prometheusRule.interval` | How often rules in the group are evaluated (falls back to `global.evaluation_interval` if not set). | string | `"10s"` |
| `prometheusRule.namespace` | Namespace which Prometheus is running in. | string | `nil` |
| `prometheusRule.rules` | Rules spec template (see https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#rule). | list | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```bash
$ helm repo add dandydev https://dandydeveloper.github.io/charts
$ helm install \
--set image=redis \
--set tag=5.0.5-alpine \
dandydev/redis-ha
```
The above command sets the Redis server within `default` namespace.
Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,
```bash
helm install -f values.yaml dandydev/redis-ha
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Custom Redis and Sentinel config options
This chart allows for most redis or sentinel config options to be passed as a key value pair through the `values.yaml` under `redis.config` and `sentinel.config`. See links below for all available options.
[Example redis.conf](http://download.redis.io/redis-stable/redis.conf)
[Example sentinel.conf](http://download.redis.io/redis-stable/sentinel.conf)
For example `repl-timeout 60` would be added to the `redis.config` section of the `values.yaml` as:
```yml
repl-timeout: "60"
```
Note:
1. Some config options should be renamed by redis versione.g.:
```yml
# In redis 5.xsee https://raw.githubusercontent.com/antirez/redis/5.0/redis.conf
min-replicas-to-write: 1
min-replicas-max-lag: 5
# In redis 4.x and redis 3.xsee https://raw.githubusercontent.com/antirez/redis/4.0/redis.conf and https://raw.githubusercontent.com/antirez/redis/3.0/redis.conf
min-slaves-to-write 1
min-slaves-max-lag 5
```
Sentinel options supported must be in the the `sentinel <option> <master-group-name> <value>` format. For example, `sentinel down-after-milliseconds 30000` would be added to the `sentinel.config` section of the `values.yaml` as:
```yml
down-after-milliseconds: 30000
```
If more control is needed from either the redis or sentinel config then an entire config can be defined under `redis.customConfig` or `sentinel.customConfig`. Please note that these values will override any configuration options under their respective section. For example, if you define `sentinel.customConfig` then the `sentinel.config` is ignored.
## Host Kernel Settings
Redis may require some changes in the kernel of the host machine to work as expected, in particular increasing the `somaxconn` value and disabling transparent huge pages.
To do so, you can set up a privileged initContainer with the `sysctlImage` config values, for example:
```yml
sysctlImage:
enabled: true
mountHostSys: true
command:
- /bin/sh
- -xc
- |-
sysctl -w net.core.somaxconn=10000
echo never > /host-sys/kernel/mm/transparent_hugepage/enabled
```
## HAProxy startup
When HAProxy is enabled, it will attempt to connect to each announce-service of each redis replica instance in its init container before starting.
It will fail if announce-service IP is not available fast enough (10 seconds max by announce-service).
A such case could happen if the orchestator is pending the nomination of redis pods.
Risk is limited because announce-service is using `publishNotReadyAddresses: true`, although, in such case, HAProxy pod will be rescheduled afterward by the orchestrator.
PodDisruptionBudgets are not configured by default, you may need to set the `haproxy.podDisruptionBudget` parameter in values.yaml to enable it.
## Network policies
If `networkPolicy.enabled` is set to `true`, then a `NetworkPolicy` resource is created with default rules to allow inter-Redis and Sentinel connectivity.
This is a requirement for Redis Pods to come up successfully.
You will need to define `ingressRules` to permit your application connectivity to Redis.
The `selectors` block should be in the format of a [label selector](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors).
Templating is also supported in the selectors.
See such a configuration below.
```yaml
networkPolicy: true
ingressRules:
- selectors:
- namespaceSelector:
matchLabels:
name: my-redis-client-namespace
podSelector:
matchLabels:
# template example
app: |-
{{- .App.Name }}
## ports block is optional (defaults to below), define the block to override the defaults
# ports:
# - port: 6379
# protocol: TCP
# - port: 26379
# protocol: TCP
```
Should your Pod require additional egress rules, define them in a `egressRules` key which is structured identically to an `ingressRules` key.
## Sentinel and redis server split brain detection
Under not entirely known yet circumstances redis sentinel and its corresponding redis server reach a condition that this chart authors call "split brain" (for short). The observed behaviour is the following: the sentinel switches to the new re-elected master, but does not switch its redis server. Majority of original discussion on the problem has happened at the <https://github.com/DandyDeveloper/charts/issues/121>.
The proposed solution is currently implemented as a sidecar container that runs a bash script with the following logic:
1. Every `splitBrainDetection.interval` seconds a master (as known by sentinel) is determined
1. If it is the current node: ensure the redis server's role is master as well.
1. If it is not the current node: ensure the redis server also replicates from the same node.
If any of the checks above fails - the redis server reinitialisation happens (it regenerates configs the same way it's done during the pod init), and then the redis server is instructed to shutdown. Then kubernetes restarts the container immediately.
# Change Log
## 4.14.9 - ** POTENTIAL BREAKING CHANGE. **
Introduced the ability to change the Haproxy Deployment container pod
- Container port in redis-haproxy-deployment.yam has been changed. Was **redis.port** To **haproxy.containerPort**. Default value is 6379.
- Port in redis-haproxy-service.yaml has been changed. Was **redis.port** To **haproxy.servicePort**. Default value is 6379.
## 4.21.0 - BREAKING CHANGES (Kubernetes Deprecation)
This version introduced the deprecation of the PSP and subsequently added fields to the securityContexts that were introduced in Kubernetes v1.19:
https://kubernetes.io/docs/tutorials/security/seccomp/
As a result, from this version onwards Kubernetes versions older than 1.19 will fail to install without the removal of `.Values.containerSecurityContext.seccompProfile` and `.Values.haproxy.containerSecurityContext.seccompProfile` (If HAProxy is enabled)
----------------------------------------------
Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/helm-docs)

25
manifests/argo-cd/charts/redis-ha/templates/NOTES.txt Normal file
View File

@ -0,0 +1,25 @@
Redis can be accessed via {{ if ne (int .Values.redis.port) 0 }}port {{ .Values.redis.port }}{{ end }} {{ if .Values.redis.tlsPort }} tls-port {{ .Values.redis.tlsPort }}{{ end }} and Sentinel can be accessed via {{ if ne (int .Values.sentinel.port) 0 }}port {{ .Values.sentinel.port }}{{ end }} {{ if .Values.sentinel.tlsPort }} tls-port {{ .Values.sentinel.tlsPort }}{{ end }} on the following DNS name from within your cluster:
{{ template "redis-ha.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
To connect to your Redis server:
{{- if .Values.auth }}
1. To retrieve the redis password:
echo $(kubectl get secret {{ template "redis-ha.fullname" . }} -o "jsonpath={.data['auth']}" | base64 --decode)
2. Connect to the Redis master pod that you can use as a client. By default the {{ template "redis-ha.fullname" . }}-server-0 pod is configured as the master:
kubectl exec -it {{ template "redis-ha.fullname" . }}-server-0 -n {{ .Release.Namespace }} -c redis -- sh
3. Connect using the Redis CLI (inside container):
redis-cli -a <REDIS-PASS-FROM-SECRET>
{{- else }}
1. Run a Redis pod that you can use as a client:
kubectl exec -it {{ template "redis-ha.fullname" . }}-server-0 -n {{ .Release.Namespace }} -c redis -- sh
2. Connect using the Redis CLI:
redis-cli -h {{ template "redis-ha.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
{{- end }}

730
manifests/argo-cd/charts/redis-ha/templates/_configs.tpl Normal file
View File

@ -0,0 +1,730 @@
{{/* vim: set filetype=mustache: */}}
{{- define "config-redis.conf" }}
{{- if .Values.redis.customConfig }}
{{ tpl .Values.redis.customConfig . | indent 4 }}
{{- else }}
dir "/data"
port {{ .Values.redis.port }}
{{- if .Values.sentinel.tlsPort }}
tls-port {{ .Values.redis.tlsPort }}
tls-cert-file /tls-certs/{{ .Values.tls.certFile }}
tls-key-file /tls-certs/{{ .Values.tls.keyFile }}
{{- if .Values.tls.dhParamsFile }}
tls-dh-params-file /tls-certs/{{ .Values.tls.dhParamsFile }}
{{- end }}
{{- if .Values.tls.caCertFile }}
tls-ca-cert-file /tls-certs/{{ .Values.tls.caCertFile }}
{{- end }}
{{- if eq (default "yes" .Values.redis.authClients) "no"}}
tls-auth-clients no
{{- end }}
tls-replication {{ if .Values.redis.tlsReplication }}yes{{ else }}no{{ end }}
{{- end }}
{{- if .Values.redis.disableCommands }}
{{- range .Values.redis.disableCommands }}
rename-command {{ . }} ""
{{- end }}
{{- end }}
{{- range $key, $value := .Values.redis.config }}
{{- if kindIs "slice" $value }}
{{- range $value }}
{{ $key }} {{ . }}
{{- end }}
{{- else }}
{{ $key }} {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.auth }}
requirepass replace-default-auth
masterauth replace-default-auth
{{- end }}
{{- end }}
{{- end }}
{{- define "config-sentinel.conf" }}
{{- if .Values.sentinel.customConfig }}
{{ tpl .Values.sentinel.customConfig . | indent 4 }}
{{- else }}
dir "/data"
port {{ .Values.sentinel.port }}
{{- if .Values.sentinel.bind }}
bind {{ .Values.sentinel.bind }}
{{- end }}
{{- if .Values.sentinel.tlsPort }}
tls-port {{ .Values.sentinel.tlsPort }}
tls-cert-file /tls-certs/{{ .Values.tls.certFile }}
tls-key-file /tls-certs/{{ .Values.tls.keyFile }}
{{- if .Values.tls.dhParamsFile }}
tls-dh-params-file /tls-certs/{{ .Values.tls.dhParamsFile }}
{{- end }}
{{- if .Values.tls.caCertFile }}
tls-ca-cert-file /tls-certs/{{ .Values.tls.caCertFile }}
{{- end }}
{{- if eq (default "yes" .Values.sentinel.authClients) "no"}}
tls-auth-clients no
{{- end }}
tls-replication {{ if .Values.sentinel.tlsReplication }}yes{{ else }}no{{ end }}
{{- end }}
{{- range $key, $value := .Values.sentinel.config }}
{{- if eq "maxclients" $key }}
{{ $key }} {{ $value }}
{{- else }}
sentinel {{ $key }} {{ template "redis-ha.masterGroupName" $ }} {{ $value }}
{{- end }}
{{- end }}
{{- if .Values.auth }}
sentinel auth-pass {{ template "redis-ha.masterGroupName" . }} replace-default-auth
{{- end }}
{{- if .Values.sentinel.auth }}
requirepass replace-default-sentinel-auth
{{- end }}
{{- end }}
{{- end }}
{{- define "lib.sh" }}
sentinel_get_master() {
set +e
if [ "$SENTINEL_PORT" -eq 0 ]; then
redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" {{ if .Values.sentinel.auth }} -a "${SENTINELAUTH}" --no-auth-warning{{ end }} --tls --cacert /tls-certs/{{ .Values.tls.caCertFile }} {{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{ end }} sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
else
redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" {{ if .Values.sentinel.auth }} -a "${SENTINELAUTH}" --no-auth-warning{{ end }} sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
fi
set -e
}
sentinel_get_master_retry() {
master=''
retry=${1}
sleep=3
for i in $(seq 1 "${retry}"); do
master=$(sentinel_get_master)
if [ -n "${master}" ]; then
break
fi
sleep $((sleep + i))
done
echo "${master}"
}
identify_master() {
echo "Identifying redis master (get-master-addr-by-name).."
echo " using sentinel ({{ template "redis-ha.fullname" . }}), sentinel group name ({{ template "redis-ha.masterGroupName" . }})"
MASTER="$(sentinel_get_master_retry 3)"
if [ -n "${MASTER}" ]; then
echo " $(date) Found redis master (${MASTER})"
else
echo " $(date) Did not find redis master (${MASTER})"
fi
}
sentinel_update() {
echo "Updating sentinel config.."
echo " evaluating sentinel id (\${SENTINEL_ID_${INDEX}})"
eval MY_SENTINEL_ID="\$SENTINEL_ID_${INDEX}"
echo " sentinel id (${MY_SENTINEL_ID}), sentinel grp (${MASTER_GROUP}), quorum (${QUORUM})"
sed -i "1s/^/sentinel myid ${MY_SENTINEL_ID}\\n/" "${SENTINEL_CONF}"
if [ "$SENTINEL_TLS_REPLICATION_ENABLED" = true ]; then
echo " redis master (${1}:${REDIS_TLS_PORT})"
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_TLS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
else
echo " redis master (${1}:${REDIS_PORT})"
sed -i "2s/^/sentinel monitor ${MASTER_GROUP} ${1} ${REDIS_PORT} ${QUORUM} \\n/" "${SENTINEL_CONF}"
fi
echo "sentinel announce-ip ${ANNOUNCE_IP}" >> ${SENTINEL_CONF}
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " announce (${ANNOUNCE_IP}:${SENTINEL_TLS_PORT})"
echo "sentinel announce-port ${SENTINEL_TLS_PORT}" >> ${SENTINEL_CONF}
else
echo " announce (${ANNOUNCE_IP}:${SENTINEL_PORT})"
echo "sentinel announce-port ${SENTINEL_PORT}" >> ${SENTINEL_CONF}
fi
}
redis_update() {
echo "Updating redis config.."
if [ "$REDIS_TLS_REPLICATION_ENABLED" = true ]; then
echo " we are slave of redis master (${1}:${REDIS_TLS_PORT})"
echo "slaveof ${1} ${REDIS_TLS_PORT}" >> "${REDIS_CONF}"
echo "slave-announce-port ${REDIS_TLS_PORT}" >> ${REDIS_CONF}
else
echo " we are slave of redis master (${1}:${REDIS_PORT})"
echo "slaveof ${1} ${REDIS_PORT}" >> "${REDIS_CONF}"
echo "slave-announce-port ${REDIS_PORT}" >> ${REDIS_CONF}
fi
echo "slave-announce-ip ${ANNOUNCE_IP}" >> ${REDIS_CONF}
}
copy_config() {
echo "Copying default redis config.."
echo " to '${REDIS_CONF}'"
cp /readonly-config/redis.conf "${REDIS_CONF}"
echo "Copying default sentinel config.."
echo " to '${SENTINEL_CONF}'"
cp /readonly-config/sentinel.conf "${SENTINEL_CONF}"
}
setup_defaults() {
echo "Setting up defaults.."
echo " using statefulset index (${INDEX})"
if [ "${INDEX}" = "0" ]; then
echo "Setting this pod as master for redis and sentinel.."
echo " using announce (${ANNOUNCE_IP})"
redis_update "${ANNOUNCE_IP}"
sentinel_update "${ANNOUNCE_IP}"
echo " make sure ${ANNOUNCE_IP} is not a slave (slaveof no one)"
sed -i "s/^.*slaveof.*//" "${REDIS_CONF}"
else
echo "Getting redis master ip.."
echo " blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
if [ -z "${DEFAULT_MASTER}" ]; then
echo "Error: Unable to resolve redis master (getent hosts)."
exit 1
fi
echo " identified redis (may be redis master) ip (${DEFAULT_MASTER})"
echo "Setting default slave config for redis and sentinel.."
echo " using master ip (${DEFAULT_MASTER})"
redis_update "${DEFAULT_MASTER}"
sentinel_update "${DEFAULT_MASTER}"
fi
}
redis_ping() {
set +e
if [ "$REDIS_PORT" -eq 0 ]; then
redis-cli -h "${MASTER}"{{ if .Values.auth }} -a "${AUTH}" --no-auth-warning{{ end }} -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/{{ .Values.tls.caCertFile }} {{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{ end }} ping
else
redis-cli -h "${MASTER}"{{ if .Values.auth }} -a "${AUTH}" --no-auth-warning{{ end }} -p "${REDIS_PORT}" ping
fi
set -e
}
redis_ping_retry() {
ping=''
retry=${1}
sleep=3
for i in $(seq 1 "${retry}"); do
if [ "$(redis_ping)" = "PONG" ]; then
ping='PONG'
break
fi
sleep $((sleep + i))
MASTER=$(sentinel_get_master)
done
echo "${ping}"
}
find_master() {
echo "Verifying redis master.."
if [ "$REDIS_PORT" -eq 0 ]; then
echo " ping (${MASTER}:${REDIS_TLS_PORT})"
else
echo " ping (${MASTER}:${REDIS_PORT})"
fi
if [ "$(redis_ping_retry 3)" != "PONG" ]; then
echo " $(date) Can't ping redis master (${MASTER})"
echo "Attempting to force failover (sentinel failover).."
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}" {{ if .Values.sentinel.auth }} -a "${SENTINELAUTH}" --no-auth-warning{{ end }} --tls --cacert /tls-certs/{{ .Values.tls.caCertFile }} {{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{ end }} sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
echo " $(date) Failover returned with 'NOGOODSLAVE'"
echo "Setting defaults for this pod.."
setup_defaults
return 0
fi
else
echo " on sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
if redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}" {{ if .Values.sentinel.auth }} -a "${SENTINELAUTH}" --no-auth-warning{{ end }} sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
echo " $(date) Failover returned with 'NOGOODSLAVE'"
echo "Setting defaults for this pod.."
setup_defaults
return 0
fi
fi
echo "Hold on for 10sec"
sleep 10
echo "We should get redis master's ip now. Asking (get-master-addr-by-name).."
if [ "$SENTINEL_PORT" -eq 0 ]; then
echo " sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
else
echo " sentinel (${SERVICE}:${SENTINEL_PORT}), sentinel grp (${MASTER_GROUP})"
fi
MASTER="$(sentinel_get_master)"
if [ "${MASTER}" ]; then
echo " $(date) Found redis master (${MASTER})"
echo "Updating redis and sentinel config.."
sentinel_update "${MASTER}"
redis_update "${MASTER}"
else
echo "$(date) Error: Could not failover, exiting..."
exit 1
fi
else
echo " $(date) Found reachable redis master (${MASTER})"
echo "Updating redis and sentinel config.."
sentinel_update "${MASTER}"
redis_update "${MASTER}"
fi
}
redis_ro_update() {
echo "Updating read-only redis config.."
echo " redis.conf set 'replica-priority 0'"
echo "replica-priority 0" >> ${REDIS_CONF}
}
getent_hosts() {
index=${1:-${INDEX}}
service="${SERVICE}-announce-${index}"
host=$(getent hosts "${service}")
echo "${host}"
}
identify_announce_ip() {
echo "Identify announce ip for this pod.."
echo " using (${SERVICE}-announce-${INDEX}) or (${SERVICE}-server-${INDEX})"
ANNOUNCE_IP=$(getent_hosts | awk '{ print $1 }')
echo " identified announce (${ANNOUNCE_IP})"
}
{{- end }}
{{- define "vars.sh" }}
HOSTNAME="$(hostname)"
{{- if .Values.ro_replicas }}
RO_REPLICAS="{{ .Values.ro_replicas }}"
{{- end }}
INDEX="${HOSTNAME##*-}"
SENTINEL_PORT={{ .Values.sentinel.port }}
ANNOUNCE_IP=''
MASTER=''
MASTER_GROUP="{{ template "redis-ha.masterGroupName" . }}"
QUORUM="{{ .Values.sentinel.quorum }}"
REDIS_CONF=/data/conf/redis.conf
REDIS_PORT={{ .Values.redis.port }}
REDIS_TLS_PORT={{ .Values.redis.tlsPort }}
SENTINEL_CONF=/data/conf/sentinel.conf
SENTINEL_TLS_PORT={{ .Values.sentinel.tlsPort }}
SERVICE={{ template "redis-ha.fullname" . }}
SENTINEL_TLS_REPLICATION_ENABLED={{ default false .Values.sentinel.tlsReplication }}
REDIS_TLS_REPLICATION_ENABLED={{ default false .Values.redis.tlsReplication }}
{{- end }}
{{- define "config-init.sh" }}
echo "$(date) Start..."
{{- include "vars.sh" . }}
set -eu
{{- include "lib.sh" . }}
mkdir -p /data/conf/
echo "Initializing config.."
copy_config
# where is redis master
identify_master
identify_announce_ip
if [ -z "${ANNOUNCE_IP}" ]; then
"Error: Could not resolve the announce ip for this pod."
exit 1
elif [ "${MASTER}" ]; then
find_master
else
setup_defaults
fi
{{- if .Values.ro_replicas }}
# works only if index is less than 10
echo "Verifying redis read-only replica.."
echo " we have RO_REPLICAS='${RO_REPLICAS}' with INDEX='${INDEX}'"
if echo "${RO_REPLICAS}" | grep -q "${INDEX}" ; then
redis_ro_update
fi
{{- end }}
if [ "${AUTH:-}" ]; then
echo "Setting redis auth values.."
ESCAPED_AUTH=$(echo "${AUTH}" | sed -e 's/[\/&]/\\&/g');
sed -i "s/replace-default-auth/${ESCAPED_AUTH}/" "${REDIS_CONF}" "${SENTINEL_CONF}"
fi
if [ "${SENTINELAUTH:-}" ]; then
echo "Setting sentinel auth values"
ESCAPED_AUTH_SENTINEL=$(echo "$SENTINELAUTH" | sed -e 's/[\/&]/\\&/g');
sed -i "s/replace-default-sentinel-auth/${ESCAPED_AUTH_SENTINEL}/" "$SENTINEL_CONF"
fi
echo "$(date) Ready..."
{{- end }}
{{- define "trigger-failover-if-master.sh" }}
{{- if or (eq (int .Values.redis.port) 0) (eq (int .Values.sentinel.port) 0) }}
TLS_CLIENT_OPTION="--tls --cacert /tls-certs/{{ .Values.tls.caCertFile }}{{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{end}}"
{{- end }}
get_redis_role() {
is_master=$(
redis-cli \
{{- if .Values.auth }}
-a "${AUTH}" --no-auth-warning \
{{- end }}
-h localhost \
{{- if (int .Values.redis.port) }}
-p {{ .Values.redis.port }} \
{{- else }}
-p {{ .Values.redis.tlsPort }} ${TLS_CLIENT_OPTION} \
{{- end}}
info | grep -c 'role:master' || true
)
}
get_redis_role
if [[ "$is_master" -eq 1 ]]; then
echo "This node is currently master, we trigger a failover."
{{- $masterGroupName := include "redis-ha.masterGroupName" . }}
response=$(
redis-cli \
{{- if .Values.sentinel.auth }}
-a "${SENTINELAUTH}" --no-auth-warning \
{{- end }}
-h localhost \
{{- if (int .Values.sentinel.port) }}
-p {{ .Values.sentinel.port }} \
{{- else }}
-p {{ .Values.sentinel.tlsPort }} ${TLS_CLIENT_OPTION} \
{{- end}}
SENTINEL failover {{ $masterGroupName }}
)
if [[ "$response" != "OK" ]] ; then
echo "$response"
exit 1
fi
timeout=30
while [[ "$is_master" -eq 1 && $timeout -gt 0 ]]; do
sleep 1
get_redis_role
timeout=$((timeout - 1))
done
echo "Failover successful"
fi
{{- end }}
{{- define "fix-split-brain.sh" }}
{{- include "vars.sh" . }}
ROLE=''
REDIS_MASTER=''
set -eu
{{- include "lib.sh" . }}
redis_role() {
set +e
if [ "$REDIS_PORT" -eq 0 ]; then
ROLE=$(redis-cli {{ if .Values.auth }} -a "${AUTH}" --no-auth-warning{{ end }} -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/{{ .Values.tls.caCertFile }} {{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{ end }} info | grep role | sed 's/role://' | sed 's/\r//')
else
ROLE=$(redis-cli {{ if .Values.auth }} -a "${AUTH}" --no-auth-warning{{ end }} -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
fi
set -e
}
identify_redis_master() {
set +e
if [ "$REDIS_PORT" -eq 0 ]; then
REDIS_MASTER=$(redis-cli {{ if .Values.auth }} -a "${AUTH}" --no-auth-warning{{ end }} -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/{{ .Values.tls.caCertFile }} {{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{ end }} info | grep master_host | sed 's/master_host://' | sed 's/\r//')
else
REDIS_MASTER=$(redis-cli {{ if .Values.auth }} -a "${AUTH}" --no-auth-warning{{ end }} -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
fi
set -e
}
reinit() {
set +e
sh /readonly-config/init.sh
if [ "$REDIS_PORT" -eq 0 ]; then
echo "shutdown" | redis-cli {{ if .Values.auth }} -a "${AUTH}" --no-auth-warning{{ end }} -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/{{ .Values.tls.caCertFile }} {{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{ end }}
else
echo "shutdown" | redis-cli {{ if .Values.auth }} -a "${AUTH}" --no-auth-warning{{ end }} -p "${REDIS_PORT}"
fi
set -e
}
identify_announce_ip
while [ -z "${ANNOUNCE_IP}" ]; do
echo "Error: Could not resolve the announce ip for this pod."
sleep 30
identify_announce_ip
done
trap "exit 0" TERM
while true; do
sleep {{ .Values.splitBrainDetection.interval }}
# where is redis master
identify_master
if [ "$MASTER" = "$ANNOUNCE_IP" ]; then
redis_role
if [ "$ROLE" != "master" ]; then
reinit
fi
elif [ "${MASTER}" ]; then
identify_redis_master
if [ "$REDIS_MASTER" != "$MASTER" ]; then
reinit
fi
fi
done
{{- end }}
{{- define "config-haproxy.cfg" }}
{{- if .Values.haproxy.customConfig }}
{{ tpl .Values.haproxy.customConfig . | indent 4 }}
{{- else }}
defaults REDIS
mode tcp
timeout connect {{ .Values.haproxy.timeout.connect }}
timeout server {{ .Values.haproxy.timeout.server }}
timeout client {{ .Values.haproxy.timeout.client }}
timeout check {{ .Values.haproxy.timeout.check }}
listen health_check_http_url
bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:8888 {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
mode http
monitor-uri /healthz
option dontlognull
{{- $root := . }}
{{- $fullName := include "redis-ha.fullname" . }}
{{- $replicas := int (toString .Values.replicas) }}
{{- $masterGroupName := include "redis-ha.masterGroupName" . }}
{{- range $i := until $replicas }}
# Check Sentinel and whether they are nominated master
backend check_if_redis_is_master_{{ $i }}
mode tcp
option tcp-check
tcp-check connect
{{- if $root.Values.sentinel.auth }}
tcp-check send "AUTH ${SENTINELAUTH}"\r\n
tcp-check expect string +OK
{{- end }}
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send SENTINEL\ get-master-addr-by-name\ {{ $masterGroupName }}\r\n
tcp-check expect string REPLACE_ANNOUNCE{{ $i }}
tcp-check send QUIT\r\n
{{- range $i := until $replicas }}
server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:26379 check inter {{ $root.Values.haproxy.checkInterval }}
{{- end }}
{{- end }}
# decide redis backend to use
#master
frontend ft_redis_master
{{- if .Values.haproxy.tls.enabled }}
bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ $root.Values.haproxy.containerPort }} ssl crt {{ .Values.haproxy.tls.certMountPath }}{{ .Values.haproxy.tls.keyName }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
{{ else }}
bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ $root.Values.redis.port }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
{{- end }}
use_backend bk_redis_master
{{- if .Values.haproxy.readOnly.enabled }}
#slave
frontend ft_redis_slave
bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ .Values.haproxy.readOnly.port }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
use_backend bk_redis_slave
{{- end }}
# Check all redis servers to see if they think they are master
backend bk_redis_master
{{- if .Values.haproxy.stickyBalancing }}
balance source
hash-type consistent
{{- end }}
mode tcp
option tcp-check
tcp-check connect
{{- if .Values.auth }}
tcp-check send "AUTH ${AUTH}"\r\n
tcp-check expect string +OK
{{- end }}
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send info\ replication\r\n
tcp-check expect string role:master
tcp-check send QUIT\r\n
tcp-check expect string +OK
{{- range $i := until $replicas }}
use-server R{{ $i }} if { srv_is_up(R{{ $i }}) } { nbsrv(check_if_redis_is_master_{{ $i }}) ge 2 }
server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:{{ $root.Values.redis.port }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1
{{- end }}
{{- if .Values.haproxy.readOnly.enabled }}
backend bk_redis_slave
{{- if .Values.haproxy.stickyBalancing }}
balance source
hash-type consistent
{{- end }}
mode tcp
option tcp-check
tcp-check connect
{{- if .Values.auth }}
tcp-check send "AUTH ${AUTH}"\r\n
tcp-check expect string +OK
{{- end }}
tcp-check send PING\r\n
tcp-check expect string +PONG
tcp-check send info\ replication\r\n
tcp-check expect string role:slave
tcp-check send QUIT\r\n
tcp-check expect string +OK
{{- range $i := until $replicas }}
server R{{ $i }} {{ $fullName }}-announce-{{ $i }}:{{ $root.Values.redis.port }} check inter {{ $root.Values.haproxy.checkInterval }} fall {{ $root.Values.haproxy.checkFall }} rise 1
{{- end }}
{{- end }}
{{- if .Values.haproxy.metrics.enabled }}
frontend stats
mode http
bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ .Values.haproxy.metrics.port }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
http-request use-service prometheus-exporter if { path {{ .Values.haproxy.metrics.scrapePath }} }
stats enable
stats uri /stats
stats refresh 10s
{{- end }}
{{- if .Values.haproxy.extraConfig }}
# Additional configuration
{{ .Values.haproxy.extraConfig | indent 4 }}
{{- end }}
{{- end }}
{{- end }}
{{- define "config-haproxy_init.sh" }}
HAPROXY_CONF=/data/haproxy.cfg
cp /readonly/haproxy.cfg "$HAPROXY_CONF"
{{- $fullName := include "redis-ha.fullname" . }}
{{- $replicas := int (toString .Values.replicas) }}
{{- range $i := until $replicas }}
for loop in $(seq 1 10); do
getent hosts {{ $fullName }}-announce-{{ $i }} && break
echo "Waiting for service {{ $fullName }}-announce-{{ $i }} to be ready ($loop) ..." && sleep 1
done
ANNOUNCE_IP{{ $i }}=$(getent hosts "{{ $fullName }}-announce-{{ $i }}" | awk '{ print $1 }')
if [ -z "$ANNOUNCE_IP{{ $i }}" ]; then
echo "Could not resolve the announce ip for {{ $fullName }}-announce-{{ $i }}"
exit 1
fi
sed -i "s/REPLACE_ANNOUNCE{{ $i }}/$ANNOUNCE_IP{{ $i }}/" "$HAPROXY_CONF"
{{- end }}
{{- end }}
{{- define "redis_liveness.sh" }}
{{- if not (ne (int .Values.sentinel.port) 0) }}
TLS_CLIENT_OPTION="--tls --cacert /tls-certs/{{ .Values.tls.caCertFile }}{{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{end}}"
{{- end }}
response=$(
redis-cli \
{{- if .Values.auth }}
-a "${AUTH}" --no-auth-warning \
{{- end }}
-h localhost \
{{- if ne (int .Values.redis.port) 0 }}
-p {{ .Values.redis.port }} \
{{- else }}
-p {{ .Values.redis.tlsPort }} ${TLS_CLIENT_OPTION} \
{{- end}}
ping
)
echo "response=$response"
case $response in
PONG|LOADING*) ;;
*) exit 1 ;;
esac
exit 0
{{- end }}
{{- define "redis_readiness.sh" }}
{{- if not (ne (int .Values.sentinel.port) 0) }}
TLS_CLIENT_OPTION="--tls --cacert /tls-certs/{{ .Values.tls.caCertFile }}{{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{end}}"
{{- end }}
response=$(
redis-cli \
{{- if .Values.auth }}
-a "${AUTH}" --no-auth-warning \
{{- end }}
-h localhost \
{{- if ne (int .Values.redis.port) 0 }}
-p {{ .Values.redis.port }} \
{{- else }}
-p {{ .Values.redis.tlsPort }} ${TLS_CLIENT_OPTION} \
{{- end}}
ping
)
if [ "$response" != "PONG" ] ; then
echo "ping=$response"
exit 1
fi
response=$(
redis-cli \
{{- if .Values.auth }}
-a "${AUTH}" --no-auth-warning \
{{- end }}
-h localhost \
{{- if ne (int .Values.redis.port) 0 }}
-p {{ .Values.redis.port }} \
{{- else }}
-p {{ .Values.redis.tlsPort }} ${TLS_CLIENT_OPTION} \
{{- end}}
role
)
role=$( echo "$response" | sed "1!d" )
if [ "$role" = "master" ]; then
echo "role=$role"
exit 0
elif [ "$role" = "slave" ]; then
repl=$( echo "$response" | sed "4!d" )
echo "role=$role; repl=$repl"
if [ "$repl" = "connected" ]; then
exit 0
else
exit 1
fi
else
echo "role=$role"
exit 1
fi
{{- end }}
{{- define "sentinel_liveness.sh" }}
{{- if not (ne (int .Values.sentinel.port) 0) }}
TLS_CLIENT_OPTION="--tls --cacert /tls-certs/{{ .Values.tls.caCertFile }}{{ if ne (default "yes" .Values.sentinel.authClients) "no"}} --cert /tls-certs/{{ .Values.tls.certFile }} --key /tls-certs/{{ .Values.tls.keyFile }}{{end}}"
{{- end }}
response=$(
redis-cli \
{{- if .Values.sentinel.auth }}
-a "${SENTINELAUTH}" --no-auth-warning \
{{- end }}
-h localhost \
{{- if ne (int .Values.sentinel.port) 0 }}
-p {{ .Values.sentinel.port }} \
{{- else }}
-p {{ .Values.sentinel.tlsPort }} ${TLS_CLIENT_OPTION} \
{{- end}}
ping
)
if [ "$response" != "PONG" ]; then
echo "$response"
exit 1
fi
echo "response=$response"
{{- end }}

130
manifests/argo-cd/charts/redis-ha/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,130 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "redis-ha.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "redis-ha.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Return sysctl image
*/}}
{{- define "redis.sysctl.image" -}}
{{- $registryName := default "docker.io" .Values.sysctlImage.registry -}}
{{- $tag := default "latest" .Values.sysctlImage.tag | toString -}}
{{- printf "%s/%s:%s" $registryName .Values.sysctlImage.repository $tag -}}
{{- end -}}
{{- /*
Credit: @technosophos
https://github.com/technosophos/common-chart/
labels.standard prints the standard Helm labels.
The standard labels are frequently used in metadata.
*/ -}}
{{- define "labels.standard" -}}
app: {{ template "redis-ha.name" . }}
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
chart: {{ template "chartref" . }}
{{- end -}}
{{- /*
Credit: @technosophos
https://github.com/technosophos/common-chart/
chartref prints a chart name and version.
It does minimal escaping for use in Kubernetes labels.
Example output:
zookeeper-1.2.3
wordpress-3.2.1_20170219
*/ -}}
{{- define "chartref" -}}
{{- replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name -}}
{{- end -}}
{{/*
Create the name of the service account to use
*/}}
{{- define "redis-ha.serviceAccountName" -}}
{{- if .Values.serviceAccount.create -}}
{{ default (include "redis-ha.fullname" .) .Values.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{- define "redis-ha.masterGroupName" -}}
{{- $masterGroupName := tpl ( .Values.redis.masterGroupName | default "") . -}}
{{- $validMasterGroupName := regexMatch "^[\\w-\\.]+$" $masterGroupName -}}
{{- if $validMasterGroupName -}}
{{ $masterGroupName }}
{{- else -}}
{{ required "A valid .Values.redis.masterGroupName entry is required (matching ^[\\w-\\.]+$)" ""}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for poddisruptionbudget.
*/}}
{{- define "redis-ha.podDisruptionBudget.apiVersion" -}}
{{- if .Capabilities.APIVersions.Has "policy/v1" }}
{{- print "policy/v1" -}}
{{- else -}}
{{- print "policy/v1beta1" -}}
{{- end -}}
{{- end -}}
{{/*
Return true if the detected platform is Openshift
Usage:
{{- include "common.compatibility.isOpenshift" . -}}
*/}}
{{- define "compatibility.isOpenshift" -}}
{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
Usage:
{{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
*/}}
{{- define "compatibility.renderSecurityContext" -}}
{{- $adaptedContext := .secContext -}}
{{- if (((.context.Values.global).compatibility).openshift) -}}
{{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "compatibility.isOpenshift" .context)) -}}
{{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
{{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
{{- if not .secContext.seLinuxOptions -}}
{{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
{{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* Remove fields that are disregarded when running the container in privileged mode */}}
{{- if $adaptedContext.privileged -}}
{{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
{{- end -}}
{{- omit $adaptedContext "enabled" | toYaml -}}
{{- end -}}

15
manifests/argo-cd/charts/redis-ha/templates/redis-auth-secret.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if and .Values.auth (not .Values.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "redis-ha.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
type: Opaque
data:
{{ .Values.authKey }}: {{ .Values.redisPassword | b64enc | quote }}
{{- end -}}

64
manifests/argo-cd/charts/redis-ha/templates/redis-ha-announce-service.yaml Normal file
View File

@ -0,0 +1,64 @@
{{- $fullName := include "redis-ha.fullname" . }}
{{- $namespace := .Release.Namespace -}}
{{- $replicas := int (toString .Values.replicas) }}
{{- $root := . }}
{{- range $i := until $replicas }}
---
apiVersion: v1
kind: Service
metadata:
name: {{ $fullName }}-announce-{{ $i }}
namespace: {{ $namespace | quote}}
labels:
{{ include "labels.standard" $root | indent 4 }}
{{- range $key, $value := $root.Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
annotations:
{{- if (semverCompare "<=1.10-0" $.Capabilities.KubeVersion.GitVersion) }}
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
{{- end }}
{{- if $root.Values.serviceAnnotations }}
{{ toYaml $root.Values.serviceAnnotations | indent 4 }}
{{- end }}
spec:
{{- if (semverCompare ">=1.11-0" $.Capabilities.KubeVersion.GitVersion) }}
publishNotReadyAddresses: true
{{- end }}
type: ClusterIP
ports:
{{- if ne (int $root.Values.redis.port) 0 }}
- name: tcp-server
port: {{ $root.Values.redis.port }}
protocol: TCP
targetPort: redis
{{- end }}
{{- if $root.Values.redis.tlsPort }}
- name: server-tls
port: {{ $root.Values.redis.tlsPort }}
protocol: TCP
targetPort: redis-tls
{{- end }}
{{- if ne (int $root.Values.sentinel.port) 0 }}
- name: tcp-sentinel
port: {{ $root.Values.sentinel.port }}
protocol: TCP
targetPort: sentinel
{{- end }}
{{- if $root.Values.sentinel.tlsPort }}
- name: sentinel-tls
port: {{ $root.Values.sentinel.tlsPort }}
protocol: TCP
targetPort: sentinel-tls
{{- end }}
{{- if $root.Values.exporter.enabled }}
- name: http-exporter
port: {{ $root.Values.exporter.port }}
protocol: TCP
targetPort: {{ $root.Values.exporter.portName }}
{{- end }}
selector:
release: {{ $root.Release.Name }}
app: {{ include "redis-ha.name" $root }}
"statefulset.kubernetes.io/pod-name": {{ $fullName }}-server-{{ $i }}
{{- end }}

37
manifests/argo-cd/charts/redis-ha/templates/redis-ha-configmap.yaml Normal file
View File

@ -0,0 +1,37 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "redis-ha.fullname" . }}-configmap
namespace: {{ .Release.Namespace | quote }}
labels:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
app: {{ template "redis-ha.fullname" . }}
{{- range $key, $value := .Values.configmap.labels }}
{{ $key }}: {{ $value | toString }}
{{- end }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
data:
redis.conf: |
{{- include "config-redis.conf" . }}
sentinel.conf: |
{{- include "config-sentinel.conf" . }}
init.sh: |
{{- include "config-init.sh" . }}
fix-split-brain.sh: |
{{- include "fix-split-brain.sh" . }}
{{ if .Values.haproxy.enabled }}
haproxy.cfg: |
{{- include "config-haproxy.cfg" . }}
{{- end }}
haproxy_init.sh: |
{{- include "config-haproxy_init.sh" . }}
trigger-failover-if-master.sh: |
{{- include "trigger-failover-if-master.sh" . }}

14
manifests/argo-cd/charts/redis-ha/templates/redis-ha-exporter-script-configmap.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.exporter.script }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "redis-ha.fullname" . }}-exporter-script-configmap
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
data:
script: {{ toYaml .Values.exporter.script | indent 2 }}
{{- end }}

20
manifests/argo-cd/charts/redis-ha/templates/redis-ha-health-configmap.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "redis-ha.fullname" . }}-health-configmap
namespace: {{ .Release.Namespace | quote }}
labels:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
app: {{ template "redis-ha.fullname" . }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
data:
redis_liveness.sh: |
{{- include "redis_liveness.sh" . }}
redis_readiness.sh: |
{{- include "redis_readiness.sh" . }}
sentinel_liveness.sh: |
{{- include "sentinel_liveness.sh" . }}

80
manifests/argo-cd/charts/redis-ha/templates/redis-ha-network-policy.yaml Normal file
View File

@ -0,0 +1,80 @@
{{- if .Values.networkPolicy.enabled }}
{{- $root := . }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ template "redis-ha.fullname" . }}-network-policy
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.networkPolicy.annotations }}
annotations:
{{- range $key, $value := .Values.networkPolicy.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.networkPolicy.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
policyTypes:
- Ingress
- Egress
egress:
- to:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
ports:
- port: {{ .Values.redis.port }}
protocol: TCP
- port: {{ .Values.sentinel.port }}
protocol: TCP
{{- range $rule := .Values.networkPolicy.egressRules }}
- to:
{{ (tpl (toYaml $rule.selectors) $) | indent 7 }}
ports:
{{ toYaml $rule.ports | indent 7 }}
{{- end }}
ingress:
- from:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
ports:
- port: {{ .Values.redis.port }}
protocol: TCP
- port: {{ .Values.sentinel.port }}
protocol: TCP
{{- if .Values.haproxy.enabled }}
- from:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}-haproxy
ports:
- port: {{ .Values.redis.port }}
protocol: TCP
- port: {{ .Values.sentinel.port }}
protocol: TCP
{{- end }}
{{- range $rule := .Values.networkPolicy.ingressRules }}
- from:
{{ (tpl (toYaml $rule.selectors) $) | indent 7 }}
ports:
{{- if $rule.ports }}
{{ toYaml $rule.ports | indent 7 }}
{{- else }}
- port: {{ $root.Values.redis.port }}
protocol: TCP
- port: {{ $root.Values.sentinel.port }}
protocol: TCP
{{- end }}
{{- end }}
{{- end }}

21
manifests/argo-cd/charts/redis-ha/templates/redis-ha-pdb.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.podDisruptionBudget -}}
apiVersion: {{ template "redis-ha.podDisruptionBudget.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "redis-ha.fullname" . }}-pdb
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
selector:
matchLabels:
# The replica label is set on StatefulSet pods but not the Test pods
# We want to avoid including the Test pods in the budget
{{ template "redis-ha.fullname" . }}: replica
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
{{ toYaml .Values.podDisruptionBudget | indent 2 }}
{{- end -}}

17
manifests/argo-cd/charts/redis-ha/templates/redis-ha-prometheus-rule.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.prometheusRule.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "redis-ha.fullname" . }}
{{- if .Values.prometheusRule.namespace }}
namespace: {{ .Values.prometheusRule.namespace }}
{{- end }}
labels: {{- toYaml .Values.prometheusRule.additionalLabels | nindent 4 }}
spec:
groups:
- name: {{ template "redis-ha.fullname" . }}
{{- if .Values.prometheusRule.interval }}
interval: {{ .Values.prometheusRule.interval }}
{{- end }}
rules: {{- tpl (toYaml .Values.prometheusRule.rules) . | nindent 8 }}
{{- end }}

19
manifests/argo-cd/charts/redis-ha/templates/redis-ha-role.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "redis-ha.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- end }}

19
manifests/argo-cd/charts/redis-ha/templates/redis-ha-rolebinding.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if and .Values.serviceAccount.create .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "redis-ha.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "redis-ha.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "redis-ha.fullname" . }}
{{- end }}

32
manifests/argo-cd/charts/redis-ha/templates/redis-ha-secret.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if not .Values.restore.existingSecret }}
{{- $regexRestoreS3 := "^s3://.+|^S3://.+" -}}
{{- $regexRestoreSSH := "^.+@.+:.+" -}}
{{- if or (regexFind $regexRestoreSSH (toString .Values.restore.ssh.source)) (regexFind $regexRestoreS3 (toString .Values.restore.s3.source)) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "redis-ha.fullname" . }}-secret
namespace: {{ .Release.Namespace | quote }}
labels:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
app: {{ template "redis-ha.fullname" . }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
type: Opaque
data:
{{- if regexFind $regexRestoreSSH (toString .Values.restore.ssh.source) }}
SSH_KEY: "{{ .Values.restore.ssh.key | b64enc }}"
{{- end }}
{{- if regexFind $regexRestoreS3 (toString .Values.restore.s3.source) }}
AWS_SECRET_ACCESS_KEY: "{{ .Values.restore.s3.secret_key | b64enc }}"
AWS_ACCESS_KEY_ID: "{{ .Values.restore.s3.access_key | b64enc }}"
{{- end }}
{{- end }}
{{- end }}

57
manifests/argo-cd/charts/redis-ha/templates/redis-ha-service.yaml Normal file
View File

@ -0,0 +1,57 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "redis-ha.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- if .Values.exporter.enabled }}
exporter: enabled
{{- end }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- range $key, $value := .Values.serviceLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
annotations:
{{- if .Values.serviceAnnotations }}
{{ toYaml .Values.serviceAnnotations | indent 4 }}
{{- end }}
spec:
type: ClusterIP
clusterIP: None
ports:
{{- if ne (int .Values.redis.port) 0 }}
- name: tcp-server
port: {{ .Values.redis.port }}
protocol: TCP
targetPort: redis
{{- end }}
{{- if .Values.redis.tlsPort }}
- name: server-tls
port: {{ .Values.redis.tlsPort }}
protocol: TCP
targetPort: redis-tls
{{- end }}
{{- if ne (int .Values.sentinel.port) 0 }}
- name: tcp-sentinel
port: {{ .Values.sentinel.port }}
protocol: TCP
targetPort: sentinel
{{- end }}
{{- if .Values.sentinel.tlsPort }}
- name: sentinel-tls
port: {{ .Values.sentinel.tlsPort }}
protocol: TCP
targetPort: sentinel-tls
{{- end }}
{{- if .Values.exporter.enabled }}
- name: http-exporter-port
port: {{ .Values.exporter.port }}
protocol: TCP
targetPort: {{ .Values.exporter.portName }}
{{- end }}
selector:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}

31
manifests/argo-cd/charts/redis-ha/templates/redis-ha-serviceaccount.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "redis-ha.serviceAccountName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
app: {{ template "redis-ha.fullname" . }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
{{- end }}
{{- if or .Values.auth .Values.sentinel.auth }}
secrets:
{{- end }}
{{- if .Values.auth }}
- name: {{ default (include "redis-ha.fullname" .) .Values.existingSecret }}
{{- end }}
{{- if .Values.sentinel.auth }}
- name: {{ default (printf "%s-sentinel" (include "redis-ha.fullname" .)) .Values.sentinel.existingSecret }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 0 }}
{{- end }}
{{- end }}

39
manifests/argo-cd/charts/redis-ha/templates/redis-ha-servicemonitor.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if and ( or .Values.exporter.serviceMonitor.disableAPICheck ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ) ( .Values.exporter.serviceMonitor.enabled ) ( .Values.exporter.enabled ) }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "redis-ha.fullname" . }}
namespace: {{ .Values.exporter.serviceMonitor.namespace | default .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- range $key, $value := .Values.exporter.serviceMonitor.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
endpoints:
- targetPort: {{ .Values.exporter.port }}
{{- if .Values.exporter.serviceMonitor.interval }}
interval: {{ .Values.exporter.serviceMonitor.interval }}
{{- end }}
{{- if .Values.exporter.serviceMonitor.telemetryPath }}
path: {{ .Values.exporter.serviceMonitor.telemetryPath }}
{{- end }}
{{- if .Values.exporter.serviceMonitor.timeout }}
scrapeTimeout: {{ .Values.exporter.serviceMonitor.timeout }}
{{- end }}
{{- with .Values.exporter.serviceMonitor.endpointAdditionalProperties }}
{{- toYaml . | nindent 4 }}
{{- end }}
jobLabel: {{ template "redis-ha.fullname" . }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
selector:
matchLabels:
app: {{ template "redis-ha.name" . }}
release: {{ .Release.Name }}
exporter: enabled
{{- end }}

639
manifests/argo-cd/charts/redis-ha/templates/redis-ha-statefulset.yaml Normal file
View File

@ -0,0 +1,639 @@
{{- $regexRestoreS3 := "^s3://.+|^S3://.+" -}}
{{- $regexRestoreSSH := "^.+@.+:.+" -}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: {{ template "redis-ha.fullname" . }}-server
namespace: {{ .Release.Namespace | quote }}
labels:
{{ template "redis-ha.fullname" . }}: replica
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{ include "labels.standard" . | indent 4 }}
annotations:
{{ toYaml .Values.redis.annotations | indent 4 }}
spec:
selector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
serviceName: {{ template "redis-ha.fullname" . }}
replicas: {{ .Values.replicas }}
podManagementPolicy: {{ .Values.podManagementPolicy }}
updateStrategy:
type: {{ .Values.redis.updateStrategy.type }}
{{- if .Values.redis.minReadySeconds }}
minReadySeconds: {{ .Values.redis.minReadySeconds }}
{{- end }}
template:
metadata:
annotations:
checksum/init-config: {{ print (include "config-redis.conf" .) (include "config-sentinel.conf" .) (include "config-init.sh" .) (include "fix-split-brain.sh" .) (include "redis_liveness.sh" .) (include "redis_readiness.sh" .) (include "sentinel_liveness.sh" .) (include "trigger-failover-if-master.sh" .)| sha256sum }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | indent 8 }}
{{- end }}
{{- if and (.Values.exporter.enabled) (not .Values.exporter.serviceMonitor.enabled) }}
prometheus.io/port: "{{ .Values.exporter.port }}"
prometheus.io/scrape: "true"
prometheus.io/path: {{ .Values.exporter.scrapePath }}
{{- end }}
labels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
{{ template "redis-ha.fullname" . }}: replica
{{- range $key, $value := .Values.labels }}
{{ $key }}: {{ $value | toString }}
{{- end }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.redis.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.redis.terminationGracePeriodSeconds }}
{{- end }}
{{- if .Values.schedulerName }}
schedulerName: "{{ .Values.schedulerName }}"
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
affinity:
{{- if .Values.affinity }}
{{- with .Values.affinity }}
{{ tpl . $ | indent 8 }}
{{- end }}
{{- else }}
{{- if .Values.additionalAffinities }}
{{ toYaml .Values.additionalAffinities | indent 8 }}
{{- end }}
podAntiAffinity:
{{- if .Values.hardAntiAffinity }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "redis-ha.name" . }}
release: {{ .Release.Name }}
{{ template "redis-ha.fullname" . }}: replica
topologyKey: kubernetes.io/hostname
{{- else }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: {{ template "redis-ha.name" . }}
release: {{ .Release.Name }}
{{ template "redis-ha.fullname" . }}: replica
topologyKey: kubernetes.io/hostname
{{- end }}
{{- end }}
{{- if .Values.topologySpreadConstraints.enabled }}
topologySpreadConstraints:
- maxSkew: {{ .Values.topologySpreadConstraints.maxSkew | default 1 }}
topologyKey: {{ .Values.topologySpreadConstraints.topologyKey | default "topology.kubernetes.io/zone" }}
whenUnsatisfiable: {{ .Values.topologySpreadConstraints.whenUnsatisfiable | default "ScheduleAnyway" }}
labelSelector:
matchLabels:
app: {{ template "redis-ha.name" . }}
release: {{ .Release.Name }}
{{ template "redis-ha.fullname" . }}: replica
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 8 }}
{{- end }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 8 }}
serviceAccountName: {{ template "redis-ha.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountToken }}
initContainers:
{{- if .Values.sysctlImage.enabled }}
- name: init-sysctl
image: {{ template "redis.sysctl.image" . }}
imagePullPolicy: {{ .Values.sysctlImage.pullPolicy }}
resources: {{ toYaml .Values.sysctlImage.resources | nindent 10 }}
{{- if .Values.sysctlImage.mountHostSys }}
volumeMounts:
- name: host-sys
mountPath: /host-sys
{{- end }}
command: {{ toYaml .Values.sysctlImage.command | nindent 10 }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
{{- end }}
{{- if and .Values.hostPath.path .Values.hostPath.chown }}
- name: hostpath-chown
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
command:
- chown
- "{{ .Values.containerSecurityContext.runAsUser }}"
- /data
volumeMounts:
- name: data
mountPath: /data
{{- end }}
- name: config-init
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{ toYaml .Values.init.resources | indent 10 }}
command:
- sh
args:
- /readonly-config/init.sh
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
env:
{{- $replicas := int (toString .Values.replicas) -}}
{{- range $i := until $replicas }}
- name: SENTINEL_ID_{{ $i }}
value: {{ printf "%s\n%s\nindex: %d" (include "redis-ha.name" $) ($.Release.Name) $i | sha256sum | trunc 40 }}
{{- end }}
{{- if .Values.auth }}
- name: AUTH
valueFrom:
secretKeyRef:
{{- if .Values.existingSecret }}
name: {{ .Values.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}
{{- end }}
key: {{ .Values.authKey }}
{{- end }}
{{- if .Values.sentinel.auth }}
- name: SENTINELAUTH
valueFrom:
secretKeyRef:
{{- if .Values.sentinel.existingSecret }}
name: {{ .Values.sentinel.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}-sentinel
{{- end }}
key: {{ .Values.sentinel.authKey }}
{{- end }}
volumeMounts:
- name: config
mountPath: /readonly-config
readOnly: true
- name: data
mountPath: /data
{{- if .Values.redis.tlsPort }}
- mountPath: /tls-certs
name: tls-certs
{{- end}}
{{ if regexFind $regexRestoreS3 (toString .Values.restore.s3.source) }}
- name: restore-s3
image: s3cmd/s3cmd:latest
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{ toYaml .Values.init.resources | indent 10 }}
command:
- sh
args:
- "-c"
- "timeout -t {{ .Values.restore.timeout }} \
s3cmd get {{ if .Values.restore.s3.region }}--region {{ .Values.restore.s3.region }} {{ end }}--force '{{ .Values.restore.s3.source }}' /data/dump.rdb_ \
&& test -s /data/dump.rdb_ \
&& if test -s /data/dump.rdb; \
then cp -v /data/dump.rdb /data/dump.rdb_orig; fi \
&& mv -v /data/dump.rdb_ /data/dump.rdb"
envFrom:
- secretRef:
{{- if .Values.restore.existingSecret }}
name: {{ .Values.existingSecret }}
{{- else }}
name: {{ include "redis-ha.fullname" . }}-secret
{{- end }}
volumeMounts:
- name: data
mountPath: /data
{{- end }}
{{ if regexFind $regexRestoreSSH (toString .Values.restore.ssh.source) }}
- name: restore-ssh
image: lgatica/openssh-client:latest
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{ toYaml .Values.init.resources | indent 10 }}
command:
- sh
args:
- "-c"
- "rm -f key && echo -e \"${SSH_KEY}\" >key \
&& chmod 400 key \
&& timeout {{ .Values.restore.timeout }} \
scp -i key \
-o StrictHostKeyChecking=no \
-o UserKnownHostsFile=/dev/null \
'{{ .Values.restore.ssh.source }}' \
/data/dump.rdb_ \
&& test -s /data/dump.rdb_ \
&& if test -s /data/dump.rdb; \
then cp -v /data/dump.rdb /data/dump.rdb_orig; fi \
&& mv -v /data/dump.rdb_ /data/dump.rdb"
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
envFrom:
- secretRef:
{{- if .Values.restore.existingSecret }}
name: {{ .Values.existingSecret }}
{{- else }}
name: {{ include "redis-ha.fullname" . }}-secret
{{- end }}
volumeMounts:
- name: data
mountPath: /data
{{- end }}
{{- if .Values.extraInitContainers }}
{{- toYaml .Values.extraInitContainers | nindent 6 }}
{{- end }}
containers:
- name: redis
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
{{- if .Values.redis.customCommand }}
{{ toYaml .Values.redis.customCommand | indent 10 }}
{{- else }}
- redis-server
{{- end }}
args:
{{- if .Values.redis.customArgs }}
{{ toYaml .Values.redis.customArgs | indent 10 }}
{{- else }}
- /data/conf/redis.conf
{{- end }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
{{- if .Values.auth }}
env:
- name: AUTH
valueFrom:
secretKeyRef:
{{- if .Values.existingSecret }}
name: {{ .Values.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}
{{- end }}
key: {{ .Values.authKey }}
{{- end }}
{{- if .Values.redis.envFrom }}
envFrom:
{{ toYaml .Values.redis.envFrom | indent 10 }}
{{- end }}
{{- if .Values.redis.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.redis.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.redis.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.redis.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.redis.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.redis.livenessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/redis_liveness.sh
{{- end }}
{{- if .Values.redis.readinessProbe.enabled }}
readinessProbe:
initialDelaySeconds: {{ .Values.redis.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.redis.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.redis.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.redis.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.redis.readinessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/redis_readiness.sh
{{- end }}
{{- if .Values.redis.startupProbe.enabled }}
startupProbe:
initialDelaySeconds: {{ .Values.redis.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.redis.startupProbe.periodSeconds }}
timeoutSeconds: {{ .Values.redis.startupProbe.timeoutSeconds }}
successThreshold: {{ .Values.redis.startupProbe.successThreshold }}
failureThreshold: {{ .Values.redis.startupProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/redis_readiness.sh
{{- end }}
resources:
{{ toYaml .Values.redis.resources | indent 10 }}
ports:
{{- if ne (int .Values.redis.port) 0 }}
- name: redis
containerPort: {{ .Values.redis.port }}
{{- end }}
{{- if .Values.redis.tlsPort }}
- name: redis-tls
containerPort: {{ .Values.redis.tlsPort }}
{{- end }}
volumeMounts:
- name: config
mountPath: /readonly-config
readOnly: true
- mountPath: /data
name: data
{{- if .Values.redis.tlsPort }}
- mountPath: /tls-certs
name: tls-certs
{{- end}}
- mountPath: /health
name: health
{{- if .Values.redis.extraVolumeMounts }}
{{- toYaml .Values.redis.extraVolumeMounts | nindent 8 }}
{{- end }}
lifecycle:
{{ toYaml .Values.redis.lifecycle | indent 10 }}
- name: sentinel
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
{{- if .Values.sentinel.customCommand }}
{{ toYaml .Values.sentinel.customCommand | indent 10 }}
{{- else }}
- redis-sentinel
{{- end }}
args:
{{- if .Values.sentinel.customArgs }}
{{ toYaml .Values.sentinel.customArgs | indent 10 }}
{{- else }}
- /data/conf/sentinel.conf
{{- end }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
{{- if or .Values.auth .Values.sentinel.auth}}
env:
{{- if .Values.auth }}
- name: AUTH
valueFrom:
secretKeyRef:
{{- if .Values.existingSecret }}
name: {{ .Values.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}
{{- end }}
key: {{ .Values.authKey }}
{{- end }}
{{- if .Values.sentinel.auth }}
- name: SENTINELAUTH
valueFrom:
secretKeyRef:
{{- if .Values.sentinel.existingSecret }}
name: {{ .Values.sentinel.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}-sentinel
{{- end }}
key: {{ .Values.sentinel.authKey }}
{{- end }}
{{- end }}
{{- if .Values.sentinel.livenessProbe.enabled }}
livenessProbe:
initialDelaySeconds: {{ .Values.sentinel.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.sentinel.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.sentinel.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.sentinel.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.sentinel.livenessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/sentinel_liveness.sh
{{- end }}
{{- if .Values.sentinel.readinessProbe.enabled }}
readinessProbe:
initialDelaySeconds: {{ .Values.sentinel.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.sentinel.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.sentinel.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.sentinel.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.sentinel.readinessProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/sentinel_liveness.sh
{{- end }}
{{- if .Values.sentinel.startupProbe.enabled }}
startupProbe:
initialDelaySeconds: {{ .Values.sentinel.startupProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.sentinel.startupProbe.periodSeconds }}
timeoutSeconds: {{ .Values.sentinel.startupProbe.timeoutSeconds }}
successThreshold: {{ .Values.sentinel.startupProbe.successThreshold }}
failureThreshold: {{ .Values.sentinel.startupProbe.failureThreshold }}
exec:
command:
- sh
- -c
- /health/sentinel_liveness.sh
{{- end }}
resources:
{{ toYaml .Values.sentinel.resources | indent 10 }}
ports:
{{- if ne (int .Values.sentinel.port) 0 }}
- name: sentinel
containerPort: {{ .Values.sentinel.port }}
{{- end }}
{{- if .Values.sentinel.tlsPort }}
- name: sentinel-tls
containerPort: {{ .Values.sentinel.tlsPort }}
{{- end }}
volumeMounts:
- mountPath: /data
name: data
{{- if .Values.redis.tlsPort }}
- mountPath: /tls-certs
name: tls-certs
{{- end }}
- mountPath: /health
name: health
{{- if .Values.sentinel.extraVolumeMounts }}
{{- toYaml .Values.sentinel.extraVolumeMounts | nindent 8 }}
{{- end }}
lifecycle:
{{ toYaml .Values.sentinel.lifecycle | indent 10 }}
- name: split-brain-fix
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- sh
args:
- /readonly-config/fix-split-brain.sh
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
env:
{{- $replicas := int (toString .Values.replicas) -}}
{{- range $i := until $replicas }}
- name: SENTINEL_ID_{{ $i }}
value: {{ printf "%s\n%s\nindex: %d" (include "redis-ha.name" $) ($.Release.Name) $i | sha256sum | trunc 40 }}
{{- end }}
{{- if .Values.auth }}
- name: AUTH
valueFrom:
secretKeyRef:
{{- if .Values.existingSecret }}
name: {{ .Values.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}
{{- end }}
key: {{ .Values.authKey }}
{{- end }}
{{- if .Values.sentinel.auth }}
- name: SENTINELAUTH
valueFrom:
secretKeyRef:
{{- if .Values.sentinel.existingSecret }}
name: {{ .Values.sentinel.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}-sentinel
{{- end }}
key: {{ .Values.sentinel.authKey }}
{{- end }}
resources:
{{- toYaml .Values.splitBrainDetection.resources | nindent 10 }}
volumeMounts:
- name: config
mountPath: /readonly-config
readOnly: true
- mountPath: /data
name: data
{{- if .Values.redis.tlsPort }}
- mountPath: /tls-certs
name: tls-certs
{{- end }}
{{- if .Values.exporter.enabled }}
- name: redis-exporter
image: "{{ .Values.exporter.image }}:{{ .Values.exporter.tag }}"
imagePullPolicy: {{ .Values.exporter.pullPolicy }}
args:
{{- range $key, $value := .Values.exporter.extraArgs }}
- --{{ $key }}={{ $value }}
{{- end }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 10 }}
env:
- name: REDIS_ADDR
{{- if .Values.exporter.sslEnabled }}
value: rediss://{{ default "localhost" .Values.exporter.address }}:{{ .Values.redis.tlsPort }}
{{- else }}
value: redis://{{ default "localhost" .Values.exporter.address }}:{{ .Values.redis.port }}
{{- end }}
{{- if .Values.auth }}
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
{{- if .Values.existingSecret }}
name: {{ .Values.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}
{{- end }}
key: {{ .Values.authKey }}
{{- end }}
{{- if .Values.exporter.script }}
- name: REDIS_EXPORTER_SCRIPT
value: /script/script.lua
{{- end }}
{{- if .Values.exporter.sslEnabled }}
- name: REDIS_EXPORTER_TLS_CLIENT_KEY_FILE
value: /tls-certs/{{ .Values.tls.keyFile }}
- name: REDIS_EXPORTER_TLS_CLIENT_CERT_FILE
value: /tls-certs/{{ .Values.tls.certFile }}
- name: REDIS_EXPORTER_TLS_CA_CERT_FILE
value: /tls-certs/{{ .Values.tls.caCertFile }}
{{- end }}
livenessProbe:
{{ toYaml .Values.exporter.livenessProbe | indent 10 }}
readinessProbe:
{{ toYaml .Values.exporter.readinessProbe | indent 10 }}
resources:
{{ toYaml .Values.exporter.resources | indent 10 }}
ports:
- name: {{ .Values.exporter.portName }}
containerPort: {{ .Values.exporter.port }}
volumeMounts:
{{- if .Values.exporter.script }}
- mountPath: /script
name: script-mount
{{- end }}
{{- if .Values.exporter.sslEnabled }}
- mountPath: /tls-certs
name: tls-certs
{{- end }}
{{- end }}
{{- if .Values.extraContainers }}
{{- toYaml .Values.extraContainers | nindent 6 }}
{{- end -}}
{{- with .Values.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
volumes:
- name: config
configMap:
name: {{ template "redis-ha.fullname" . }}-configmap
{{- if .Values.sysctlImage.mountHostSys }}
- name: host-sys
hostPath:
path: /sys
{{- end }}
{{- if .Values.exporter.script }}
- name: script-mount
configMap:
name: {{ template "redis-ha.fullname" . }}-exporter-script-configmap
items:
- key: script
path: script.lua
{{- end }}
{{- if .Values.redis.tlsPort }}
- name: tls-certs
secret:
{{- if .Values.tls.secretName }}
secretName: {{ .Values.tls.secretName }}
{{- else }}
secretName: {{ template "redis-ha.fullname" . }}-tls-secret
{{- end }}
{{- end }}
- name: health
configMap:
name: {{ template "redis-ha.fullname" . }}-health-configmap
defaultMode: 0755
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 6 }}
{{- end -}}
{{- if .Values.persistentVolume.enabled }}
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
annotations:
{{- range $key, $value := .Values.persistentVolume.annotations }}
{{ $key }}: {{ $value }}
{{- end }}
labels: {{- toYaml .Values.persistentVolume.labels | nindent 8 }}
spec:
accessModes:
{{- range .Values.persistentVolume.accessModes }}
- {{ . | quote }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistentVolume.size | quote }}
{{- if .Values.persistentVolume.storageClass }}
{{- if (eq "-" .Values.persistentVolume.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistentVolume.storageClass }}"
{{- end }}
{{- end }}
{{- else if .Values.hostPath.path }}
- name: data
hostPath:
path: {{ tpl .Values.hostPath.path .}}
{{- else }}
- name: data
emptyDir:
{{ toYaml .Values.emptyDir | indent 10 }}
{{- end }}

202
manifests/argo-cd/charts/redis-ha/templates/redis-haproxy-deployment.yaml Normal file
View File

@ -0,0 +1,202 @@
{{- if .Values.haproxy.enabled }}
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
{{- with .Values.haproxy.deploymentStrategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
revisionHistoryLimit: 1
replicas: {{ .Values.haproxy.replicas }}
selector:
matchLabels:
app: {{ template "redis-ha.name" . }}-haproxy
release: {{ .Release.Name }}
template:
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy
labels:
app: {{ template "redis-ha.name" . }}-haproxy
release: {{ .Release.Name }}
{{- range $key, $value := .Values.haproxy.labels }}
{{ $key }}: {{ $value | toString }}
{{- end }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
annotations:
{{- if and (.Values.haproxy.metrics.enabled) (not .Values.haproxy.metrics.serviceMonitor.enabled) }}
prometheus.io/port: "{{ .Values.haproxy.metrics.port }}"
prometheus.io/scrape: "true"
prometheus.io/path: "{{ .Values.haproxy.metrics.scrapePath }}"
{{- end }}
checksum/config: {{ print (include "config-haproxy.cfg" .) (include "config-haproxy_init.sh" .) | sha256sum }}
{{- if .Values.haproxy.annotations }}
{{ toYaml .Values.haproxy.annotations | indent 8 }}
{{- end }}
spec:
# Needed when using unmodified rbac-setup.yml
{{ if .Values.haproxy.serviceAccount.create }}
serviceAccountName: {{ template "redis-ha.serviceAccountName" . }}-haproxy
{{- else }}
serviceAccountName: {{ .Values.haproxy.serviceAccountName }}
{{- end }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.securityContext "context" $) | nindent 8 }}
automountServiceAccountToken: {{ .Values.haproxy.serviceAccount.automountToken }}
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 8 }}
tolerations:
{{ toYaml .Values.tolerations | indent 8 }}
affinity:
{{- if .Values.haproxy.affinity }}
{{- with .Values.haproxy.affinity }}
{{ tpl . $ | indent 8 }}
{{- end }}
{{- else }}
{{- if .Values.haproxy.additionalAffinities }}
{{ toYaml .Values.haproxy.additionalAffinities | indent 8 }}
{{- end }}
podAntiAffinity:
{{- if .Values.haproxy.hardAntiAffinity }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: {{ template "redis-ha.name" . }}-haproxy
release: {{ .Release.Name }}
topologyKey: kubernetes.io/hostname
{{- else }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app: {{ template "redis-ha.name" . }}-haproxy
release: {{ .Release.Name }}
topologyKey: kubernetes.io/hostname
{{- end }}
{{- end }}
{{- if .Values.topologySpreadConstraints.enabled }}
topologySpreadConstraints:
- maxSkew: {{ .Values.topologySpreadConstraints.maxSkew | default 1 }}
topologyKey: {{ .Values.topologySpreadConstraints.topologyKey | default "topology.kubernetes.io/zone" }}
whenUnsatisfiable: {{ .Values.topologySpreadConstraints.whenUnsatisfiable | default "ScheduleAnyway" }}
labelSelector:
matchLabels:
app: {{ template "redis-ha.name" . }}-haproxy
release: {{ .Release.Name }}
{{- end }}
initContainers:
- name: config-init
image: {{ .Values.haproxy.image.repository }}:{{ .Values.haproxy.image.tag }}
imagePullPolicy: {{ .Values.haproxy.image.pullPolicy }}
resources:
{{ toYaml .Values.haproxy.init.resources | indent 10 }}
command:
- sh
args:
- /readonly/haproxy_init.sh
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.containerSecurityContext "context" $) | nindent 10 }}
volumeMounts:
- name: config-volume
mountPath: /readonly
readOnly: true
- name: data
mountPath: /data
{{- if .Values.haproxy.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.haproxy.imagePullSecrets | nindent 8 }}
{{- end }}
containers:
- name: haproxy
image: {{ .Values.haproxy.image.repository }}:{{ .Values.haproxy.image.tag }}
imagePullPolicy: {{ .Values.haproxy.image.pullPolicy }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.haproxy.containerSecurityContext "context" $) | nindent 10 }}
{{- if or .Values.auth .Values.sentinel.auth}}
env:
{{- if .Values.auth }}
- name: AUTH
valueFrom:
secretKeyRef:
{{- if .Values.existingSecret }}
name: {{ .Values.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}
{{- end }}
key: {{ .Values.authKey }}
{{- end }}
{{- if .Values.sentinel.auth }}
- name: SENTINELAUTH
valueFrom:
secretKeyRef:
{{- if .Values.sentinel.existingSecret }}
name: {{ .Values.sentinel.existingSecret }}
{{- else }}
name: {{ template "redis-ha.fullname" . }}-sentinel
{{- end }}
key: {{ .Values.sentinel.authKey }}
{{- end }}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: probe
initialDelaySeconds: 5
periodSeconds: 3
readinessProbe:
httpGet:
path: /healthz
port: probe
initialDelaySeconds: 5
periodSeconds: 3
ports:
- name: probe
containerPort: 8888
- name: redis
containerPort: {{ default "6379" .Values.haproxy.containerPort }}
{{- if .Values.haproxy.readOnly.enabled }}
- name: readonlyport
containerPort: {{ default "6380" .Values.haproxy.readOnly.port }}
{{- end }}
{{- if .Values.haproxy.metrics.enabled }}
- name: metrics-port
containerPort: {{ default "9101" .Values.haproxy.metrics.port }}
{{- end }}
resources:
{{ toYaml .Values.haproxy.resources | indent 10 }}
volumeMounts:
- name: data
mountPath: /usr/local/etc/haproxy
- name: shared-socket
mountPath: /run/haproxy
{{- if .Values.haproxy.tls.enabled }}
- name: pemfile
mountPath: {{ .Values.haproxy.tls.certMountPath }}
{{- end }}
lifecycle:
{{ toYaml .Values.haproxy.lifecycle | indent 10 }}
{{- with .Values.haproxy.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
volumes:
{{- if .Values.haproxy.tls.enabled }}
- name: pemfile
secret:
secretName: {{ .Values.haproxy.tls.secretName }}
{{- end }}
- name: config-volume
configMap:
name: {{ template "redis-ha.fullname" . }}-configmap
- name: shared-socket
emptyDir:
{{ toYaml .Values.haproxy.emptyDir | indent 10 }}
- name: data
emptyDir:
{{ toYaml .Values.haproxy.emptyDir | indent 10 }}
{{- end }}

74
manifests/argo-cd/charts/redis-ha/templates/redis-haproxy-network-policy.yaml Normal file
View File

@ -0,0 +1,74 @@
{{- if and .Values.haproxy.enabled .Values.haproxy.networkPolicy.enabled }}
{{- $root := . }}
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy-network-policy
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.haproxy.networkPolicy.annotations }}
annotations:
{{- range $key, $value := .Values.haproxy.networkPolicy.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "labels.standard" . | nindent 4 }}
{{- range $key, $value := .Values.haproxy.networkPolicy.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}-haproxy
policyTypes:
- Ingress
- Egress
egress:
- to:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
ports:
- port: {{ .Values.redis.port }}
protocol: TCP
- port: {{ .Values.sentinel.port }}
protocol: TCP
- to:
- namespaceSelector: {}
ports:
- port: 53
protocol: UDP
- port: 53
protocol: TCP
{{- range $rule := .Values.haproxy.networkPolicy.egressRules }}
- to:
{{- (tpl (toYaml $rule.selectors) $) | nindent 8 }}
ports:
{{- toYaml $rule.ports | nindent 8 }}
{{- end }}
ingress:
- from:
- podSelector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}
ports:
- port: {{ .Values.redis.port }}
protocol: TCP
- port: {{ .Values.sentinel.port }}
protocol: TCP
{{- range $rule := .Values.haproxy.networkPolicy.ingressRules }}
- from:
{{- (tpl (toYaml $rule.selectors) $) | nindent 8 }}
ports:
{{- if $rule.ports }}
{{- toYaml $rule.ports | nindent 8 }}
{{- end }}
- port: {{ $root.Values.redis.port }}
protocol: TCP
- port: {{ $root.Values.sentinel.port }}
protocol: TCP
{{- end }}
{{- end }}

18
manifests/argo-cd/charts/redis-ha/templates/redis-haproxy-pdb.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.haproxy.podDisruptionBudget -}}
apiVersion: {{ template "redis-ha.podDisruptionBudget.apiVersion" . }}
kind: PodDisruptionBudget
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy-pdb
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
selector:
matchLabels:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}-haproxy
{{ toYaml .Values.haproxy.podDisruptionBudget | indent 2 }}
{{- end -}}

22
manifests/argo-cd/charts/redis-ha/templates/redis-haproxy-role.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.haproxy.enabled }}
{{- if and .Values.haproxy.serviceAccount.create .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
component: {{ template "redis-ha.fullname" . }}-haproxy
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- end }}
{{- end }}

22
manifests/argo-cd/charts/redis-ha/templates/redis-haproxy-rolebinding.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.haproxy.enabled }}
{{- if and .Values.haproxy.serviceAccount.create .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
component: {{ template "redis-ha.fullname" . }}-haproxy
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ template "redis-ha.serviceAccountName" . }}-haproxy
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "redis-ha.fullname" . }}-haproxy
{{- end }}
{{- end }}

60
manifests/argo-cd/charts/redis-ha/templates/redis-haproxy-service.yaml Normal file
View File

@ -0,0 +1,60 @@
{{- if .Values.haproxy.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
component: {{ template "redis-ha.fullname" . }}-haproxy
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- range $key, $value := .Values.haproxy.service.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
annotations:
{{- if .Values.haproxy.service.annotations }}
{{ toYaml .Values.haproxy.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ default "ClusterIP" .Values.haproxy.service.type }}
{{- if and (eq .Values.haproxy.service.type "LoadBalancer") .Values.haproxy.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.haproxy.service.loadBalancerIP }}
{{- end }}
{{- if and (eq .Values.haproxy.service.type "LoadBalancer") .Values.haproxy.service.externalTrafficPolicy }}
externalTrafficPolicy: {{ .Values.haproxy.service.externalTrafficPolicy }}
{{- end }}
{{- if and (eq .Values.haproxy.service.type "LoadBalancer") .Values.haproxy.service.loadBalancerSourceRanges }}
loadBalancerSourceRanges: {{ toYaml .Values.haproxy.service.loadBalancerSourceRanges | nindent 2 }}
{{- end }}
{{- if .Values.haproxy.service.externalIPs }}
externalIPs:
{{- range $key, $value := .Values.haproxy.service.externalIPs }}
- {{ $value }}
{{- end }}
{{- end }}
ports:
- name: tcp-haproxy
port: {{ .Values.haproxy.servicePort }}
protocol: TCP
targetPort: redis
{{- if and (eq .Values.haproxy.service.type "NodePort") .Values.haproxy.service.nodePort }}
nodePort: {{ .Values.haproxy.service.nodePort }}
{{- end }}
{{- if .Values.haproxy.readOnly.enabled }}
- name: tcp-haproxyreadonly
port: {{ .Values.haproxy.readOnly.port }}
protocol: TCP
targetPort: {{ .Values.haproxy.readOnly.port }}
{{- end }}
{{- if .Values.haproxy.metrics.enabled }}
- name: {{ .Values.haproxy.metrics.portName }}
port: {{ .Values.haproxy.metrics.port }}
protocol: TCP
targetPort: metrics-port
{{- end }}
selector:
release: {{ .Release.Name }}
app: {{ template "redis-ha.name" . }}-haproxy
{{- end }}

15
manifests/argo-cd/charts/redis-ha/templates/redis-haproxy-serviceaccount.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if and .Values.haproxy.serviceAccount.create .Values.haproxy.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "redis-ha.serviceAccountName" . }}-haproxy
namespace: {{ .Release.Namespace | quote }}
labels:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
chart: {{ .Chart.Name }}-{{ .Chart.Version }}
app: {{ template "redis-ha.fullname" . }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}

39
manifests/argo-cd/charts/redis-ha/templates/redis-haproxy-servicemonitor.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if and ( or .Values.haproxy.metrics.serviceMonitor.disableAPICheck ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ) ( .Values.haproxy.metrics.serviceMonitor.enabled ) ( .Values.haproxy.metrics.enabled ) }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "redis-ha.fullname" . }}-haproxy
namespace: {{ .Values.haproxy.metrics.serviceMonitor.namespace | default .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- range $key, $value := .Values.haproxy.metrics.serviceMonitor.labels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
endpoints:
- targetPort: {{ .Values.haproxy.metrics.port }}
{{- if .Values.haproxy.metrics.serviceMonitor.interval }}
interval: {{ .Values.haproxy.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.haproxy.metrics.serviceMonitor.telemetryPath }}
path: {{ .Values.haproxy.metrics.serviceMonitor.telemetryPath }}
{{- end }}
{{- if .Values.haproxy.metrics.serviceMonitor.timeout }}
scrapeTimeout: {{ .Values.haproxy.metrics.serviceMonitor.timeout }}
{{- end }}
{{- with .Values.haproxy.metrics.serviceMonitor.endpointAdditionalProperties }}
{{- toYaml . | nindent 4 }}
{{- end }}
jobLabel: {{ template "redis-ha.fullname" . }}-haproxy
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
selector:
matchLabels:
app: {{ template "redis-ha.name" . }}
release: {{ .Release.Name }}
component: {{ template "redis-ha.fullname" . }}-haproxy
{{- end }}

27
manifests/argo-cd/charts/redis-ha/templates/redis-tls-secret.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if and .Values.redis.tlsPort (not .Values.tls.secretName) -}}
apiVersion: v1
kind: Secret
metadata:
metadata:
name: {{ template "redis-ha.fullname" . }}-tls-secret
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
type: Opaque
data:
{{- if .Values.tls.caCertFile }}
{{ .Values.tls.caCertFile }}: {{ .Files.Get "certs/ca.crt" | b64enc }}
{{- end }}
{{- if .Values.tls.certFile }}
{{ .Values.tls.certFile }}: {{ .Files.Get "certs/redis.crt" | b64enc }}
{{- end }}
{{- if .Values.tls.keyFile }}
{{ .Values.tls.keyFile }}: {{ .Files.Get "certs/redis.key" | b64enc }}
{{- end }}
{{- if .Values.tls.dhParamsFile }}
{{ .Values.tls.dhParamsFile }}: {{ .Files.Get "certs/redis.dh" | b64enc }}
{{- end }}
{{- end }}

15
manifests/argo-cd/charts/redis-ha/templates/sentinel-auth-secret.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if and .Values.sentinel.auth (not .Values.sentinel.existingSecret) -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "redis-ha.fullname" . }}-sentinel
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
{{- range $key, $value := .Values.extraLabels }}
{{ $key }}: {{ $value | quote }}
{{- end }}
type: Opaque
data:
{{ .Values.sentinel.authKey }}: {{ .Values.sentinel.password | b64enc | quote }}
{{- end -}}

32
manifests/argo-cd/charts/redis-ha/templates/tests/test-redis-ha-configmap.yaml Normal file
View File

@ -0,0 +1,32 @@
apiVersion: v1
kind: Pod
metadata:
name: {{ template "redis-ha.fullname" . }}-configmap-test
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 4 }}
tolerations: {{ toYaml .Values.tolerations | nindent 4 }}
containers:
- name: check-init
image: {{ .Values.configmapTest.image.repository }}:{{ .Values.configmapTest.image.tag }}
args:
- --shell=sh
- /readonly-config/init.sh
volumeMounts:
- name: config
mountPath: /readonly-config
readOnly: true
resources: {{ toYaml .Values.configmapTest.resources | nindent 6 }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 4 }}
{{- end }}
restartPolicy: Never
volumes:
- name: config
configMap:
name: {{ template "redis-ha.fullname" . }}-configmap

29
manifests/argo-cd/charts/redis-ha/templates/tests/test-redis-ha-pod.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if .Values.haproxy.enabled }}
apiVersion: v1
kind: Pod
metadata:
name: {{ template "redis-ha.fullname" . }}-service-test
namespace: {{ .Release.Namespace | quote }}
labels:
{{ include "labels.standard" . | indent 4 }}
annotations:
"helm.sh/hook": test-success
spec:
nodeSelector:
{{ toYaml .Values.nodeSelector | indent 4 }}
tolerations:
{{ toYaml .Values.tolerations | indent 4 }}
containers:
- name: "{{ .Release.Name }}-service-test"
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
command:
- sh
- -c
- redis-cli -h {{ template "redis-ha.fullname" . }}-haproxy -p {{ .Values.redis.port }} info server
resources: {{ toYaml .Values.haproxy.tests.resources | nindent 6 }}
securityContext: {{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 6 }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.imagePullSecrets | nindent 4 }}
{{- end }}
restartPolicy: Never
{{- end }}

1006
manifests/argo-cd/charts/redis-ha/values.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

22
manifests/argo-cd/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
In order to access the server UI you have the following options:
1. kubectl port-forward service/{{ include "argo-cd.fullname" . }}-server -n {{ include "argo-cd.namespace" . }} 8080:443
and then open the browser on http://localhost:8080 and accept the certificate
2. enable ingress in the values file `server.ingress.enabled` and either
- Add the annotation for ssl passthrough: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
- Set the `configs.params."server.insecure"` in the values file and terminate SSL at your ingress: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-2-multiple-ingress-objects-and-hosts
{{ if eq (toString (index .Values.configs.cm "admin.enabled")) "true" -}}
After reaching the UI the first time you can login with username: admin and the random password generated during the installation. You can find the password by running:
kubectl -n {{ include "argo-cd.namespace" . }} get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d
(You should delete the initial secret afterwards as suggested by the Getting Started Guide: https://argo-cd.readthedocs.io/en/stable/getting_started/#4-login-using-the-cli)
{{ else if or (index .Values.configs.cm "dex.config") (index .Values.configs.cm "oidc.config") -}}
After reaching the UI the first time you can login using Dex or OIDC.
{{ else -}}
After reaching the UI the first time you cannot login with username and password since you've disabled it. You should enable admin back or configure Dex via `configs.cm.dex.config` or OIDC via `configs.cm.oidc.config`.
{{ end -}}

147
manifests/argo-cd/templates/_common.tpl Normal file
View File

@ -0,0 +1,147 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "argo-cd.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "argo-cd.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "argo-cd.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create Argo CD app version
*/}}
{{- define "argo-cd.defaultTag" -}}
{{- default .Chart.AppVersion .Values.global.image.tag }}
{{- end -}}
{{/*
Return valid version label
*/}}
{{- define "argo-cd.versionLabelValue" -}}
{{ regexReplaceAll "[^-A-Za-z0-9_.]" (include "argo-cd.defaultTag" .) "-" | trunc 63 | trimAll "-" | trimAll "_" | trimAll "." | quote }}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "argo-cd.labels" -}}
helm.sh/chart: {{ include "argo-cd.chart" .context }}
{{ include "argo-cd.selectorLabels" (dict "context" .context "component" .component "name" .name) }}
app.kubernetes.io/managed-by: {{ .context.Release.Service }}
app.kubernetes.io/part-of: argocd
app.kubernetes.io/version: {{ include "argo-cd.versionLabelValue" .context }}
{{- with .context.Values.global.additionalLabels }}
{{ toYaml . }}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "argo-cd.selectorLabels" -}}
{{- if .name -}}
app.kubernetes.io/name: {{ include "argo-cd.name" .context }}-{{ .name }}
{{ end -}}
app.kubernetes.io/instance: {{ .context.Release.Name }}
{{- if .component }}
app.kubernetes.io/component: {{ .component }}
{{- end }}
{{- end }}
{{/*
Common affinity definition
Pod affinity
- Soft prefers different nodes
- Hard requires different nodes and prefers different availibility zones
Node affinity
- Soft prefers given user expressions
- Hard requires given user expressions
*/}}
{{- define "argo-cd.affinity" -}}
{{- with .component.affinity -}}
{{- toYaml . -}}
{{- else -}}
{{- $preset := .context.Values.global.affinity -}}
{{- if (eq $preset.podAntiAffinity "soft") }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: {{ include "argo-cd.name" .context }}-{{ .component.name }}
topologyKey: kubernetes.io/hostname
{{- else if (eq $preset.podAntiAffinity "hard") }}
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: {{ include "argo-cd.name" .context }}-{{ .component.name }}
topologyKey: topology.kubernetes.io/zone
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ include "argo-cd.name" .context }}-{{ .component.name }}
topologyKey: kubernetes.io/hostname
{{- end }}
{{- with $preset.nodeAffinity.matchExpressions }}
{{- if (eq $preset.nodeAffinity.type "soft") }}
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
{{- toYaml . | nindent 6 }}
{{- else if (eq $preset.nodeAffinity.type "hard") }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
{{- toYaml . | nindent 6 }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Common deployment strategy definition
- Recreate don't have additional fields, we need to remove them if added by the mergeOverwrite
*/}}
{{- define "argo-cd.strategy" -}}
{{- $preset := . -}}
{{- if (eq (toString $preset.type) "Recreate") }}
type: Recreate
{{- else if (eq (toString $preset.type) "RollingUpdate") }}
type: RollingUpdate
{{- with $preset.rollingUpdate }}
rollingUpdate:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}
{{- end -}}

259
manifests/argo-cd/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,259 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Create controller name and version as used by the chart label.
Truncated at 52 chars because StatefulSet label 'controller-revision-hash' is limited
to 63 chars and it includes 10 chars of hash and a separating '-'.
*/}}
{{- define "argo-cd.controller.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.controller.name | trunc 52 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the controller service account to use
*/}}
{{- define "argo-cd.controller.serviceAccountName" -}}
{{- if .Values.controller.serviceAccount.create -}}
{{ default (include "argo-cd.controller.fullname" .) .Values.controller.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.controller.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create dex name and version as used by the chart label.
*/}}
{{- define "argo-cd.dex.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.dex.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create Dex server endpoint
*/}}
{{- define "argo-cd.dex.server" -}}
{{- $insecure := index .Values.configs.params "dexserver.disable.tls" | toString -}}
{{- $scheme := (eq $insecure "true") | ternary "http" "https" -}}
{{- $host := include "argo-cd.dex.fullname" . -}}
{{- $port := int .Values.dex.servicePortHttp -}}
{{- printf "%s://%s:%d" $scheme $host $port }}
{{- end }}
{{/*
Create the name of the dex service account to use
*/}}
{{- define "argo-cd.dex.serviceAccountName" -}}
{{- if .Values.dex.serviceAccount.create -}}
{{ default (include "argo-cd.dex.fullname" .) .Values.dex.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.dex.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create redis name and version as used by the chart label.
*/}}
{{- define "argo-cd.redis.fullname" -}}
{{- $redisHa := (index .Values "redis-ha") -}}
{{- $redisHaContext := dict "Chart" (dict "Name" "redis-ha") "Release" .Release "Values" $redisHa -}}
{{- if $redisHa.enabled -}}
{{- if $redisHa.haproxy.enabled -}}
{{- printf "%s-haproxy" (include "redis-ha.fullname" $redisHaContext) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- else -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redis.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Return Redis server endpoint
*/}}
{{- define "argo-cd.redis.server" -}}
{{- $redisHa := (index .Values "redis-ha") -}}
{{- if or (and .Values.redis.enabled (not $redisHa.enabled)) (and $redisHa.enabled $redisHa.haproxy.enabled) }}
{{- printf "%s:%s" (include "argo-cd.redis.fullname" .) (toString .Values.redis.servicePort) }}
{{- else if and .Values.externalRedis.host .Values.externalRedis.port }}
{{- printf "%s:%s" .Values.externalRedis.host (toString .Values.externalRedis.port) }}
{{- end }}
{{- end -}}
{{/*
Create the name of the redis service account to use
*/}}
{{- define "argo-cd.redis.serviceAccountName" -}}
{{- if .Values.redis.serviceAccount.create -}}
{{ default (include "argo-cd.redis.fullname" .) .Values.redis.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.redis.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create Redis secret-init name
*/}}
{{- define "argo-cd.redisSecretInit.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redisSecretInit.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the Redis secret-init service account to use
*/}}
{{- define "argo-cd.redisSecretInit.serviceAccountName" -}}
{{- if .Values.redisSecretInit.serviceAccount.create -}}
{{ default (include "argo-cd.redisSecretInit.fullname" .) .Values.redisSecretInit.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.redisSecretInit.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create argocd server name and version as used by the chart label.
*/}}
{{- define "argo-cd.server.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.server.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the Argo CD server service account to use
*/}}
{{- define "argo-cd.server.serviceAccountName" -}}
{{- if .Values.server.serviceAccount.create -}}
{{ default (include "argo-cd.server.fullname" .) .Values.server.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.server.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create argocd repo-server name and version as used by the chart label.
*/}}
{{- define "argo-cd.repoServer.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.repoServer.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the repo-server service account to use
*/}}
{{- define "argo-cd.repoServer.serviceAccountName" -}}
{{- if .Values.repoServer.serviceAccount.create -}}
{{ default (include "argo-cd.repoServer.fullname" .) .Values.repoServer.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.repoServer.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create argocd application set name and version as used by the chart label.
*/}}
{{- define "argo-cd.applicationSet.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.applicationSet.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the application set service account to use
*/}}
{{- define "argo-cd.applicationSet.serviceAccountName" -}}
{{- if .Values.applicationSet.serviceAccount.create -}}
{{ default (include "argo-cd.applicationSet.fullname" .) .Values.applicationSet.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.applicationSet.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Create argocd notifications name and version as used by the chart label.
*/}}
{{- define "argo-cd.notifications.fullname" -}}
{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.notifications.name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the notifications service account to use
*/}}
{{- define "argo-cd.notifications.serviceAccountName" -}}
{{- if .Values.notifications.serviceAccount.create -}}
{{ default (include "argo-cd.notifications.fullname" .) .Values.notifications.serviceAccount.name }}
{{- else -}}
{{ default "default" .Values.notifications.serviceAccount.name }}
{{- end -}}
{{- end -}}
{{/*
Argo Configuration Preset Values (Influenced by Values configuration)
*/}}
{{- define "argo-cd.config.cm.presets" -}}
{{- $presets := dict -}}
{{- $_ := set $presets "url" (printf "https://%s" .Values.global.domain) -}}
{{- if eq (toString (index .Values.configs.cm "statusbadge.enabled")) "true" -}}
{{- $_ := set $presets "statusbadge.url" (printf "https://%s/" .Values.global.domain) -}}
{{- end -}}
{{- if .Values.configs.styles -}}
{{- $_ := set $presets "ui.cssurl" "./custom/custom.styles.css" -}}
{{- end -}}
{{- toYaml $presets }}
{{- end -}}
{{/*
Merge Argo Configuration with Preset Configuration
*/}}
{{- define "argo-cd.config.cm" -}}
{{- $config := omit .Values.configs.cm "create" "annotations" -}}
{{- $preset := include "argo-cd.config.cm.presets" . | fromYaml | default dict -}}
{{- range $key, $value := mergeOverwrite $preset $config }}
{{- $fmted := $value | toString }}
{{- if not (eq $fmted "") }}
{{ $key }}: {{ $fmted | toYaml }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Argo Params Default Configuration Presets
NOTE: Configuration keys must be stored as dict because YAML treats dot as separator
*/}}
{{- define "argo-cd.config.params.presets" -}}
{{- $presets := dict -}}
{{- $_ := set $presets "repo.server" (printf "%s:%s" (include "argo-cd.repoServer.fullname" .) (.Values.repoServer.service.port | toString)) -}}
{{- $_ := set $presets "server.repo.server.strict.tls" (.Values.repoServer.certificateSecret.enabled | toString ) -}}
{{- $_ := set $presets "redis.server" (include "argo-cd.redis.server" .) -}}
{{- $_ := set $presets "applicationsetcontroller.enable.leader.election" (gt ((.Values.applicationSet.replicas | default .Values.applicationSet.replicaCount) | int64) 1) -}}
{{- if .Values.dex.enabled -}}
{{- $_ := set $presets "server.dex.server" (include "argo-cd.dex.server" .) -}}
{{- $_ := set $presets "server.dex.server.strict.tls" .Values.dex.certificateSecret.enabled -}}
{{- end -}}
{{- range $component := tuple "applicationsetcontroller" "controller" "server" "reposerver" -}}
{{- $_ := set $presets (printf "%s.log.format" $component) $.Values.global.logging.format -}}
{{- $_ := set $presets (printf "%s.log.level" $component) $.Values.global.logging.level -}}
{{- end -}}
{{- toYaml $presets }}
{{- end -}}
{{/*
Merge Argo Params Configuration with Preset Configuration
*/}}
{{- define "argo-cd.config.params" -}}
{{- $config := omit .Values.configs.params "create" "annotations" }}
{{- $preset := include "argo-cd.config.params.presets" . | fromYaml | default dict -}}
{{- range $key, $value := mergeOverwrite $preset $config }}
{{ $key }}: {{ toString $value | toYaml }}
{{- end }}
{{- end -}}
{{/*
Expand the namespace of the release.
Allows overriding it for multi-namespace deployments in combined charts.
*/}}
{{- define "argo-cd.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{/*
Dual stack definition
*/}}
{{- define "argo-cd.dualStack" -}}
{{- with .Values.global.dualStack.ipFamilyPolicy }}
ipFamilyPolicy: {{ . }}
{{- end }}
{{- with .Values.global.dualStack.ipFamilies }}
ipFamilies: {{ toYaml . | nindent 4 }}
{{- end }}
{{- end }}

7
manifests/argo-cd/templates/_versions.tpl Normal file
View File

@ -0,0 +1,7 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Return the target Kubernetes version
*/}}
{{- define "argo-cd.kubeVersion" -}}
{{- default .Capabilities.KubeVersion.Version .Values.kubeVersionOverride }}
{{- end }}

70
manifests/argo-cd/templates/aggregate-roles.yaml Normal file
View File

@ -0,0 +1,70 @@
{{- if .Values.createAggregateRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.fullname" . }}-aggregate-to-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
{{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- appprojects
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.fullname" . }}-aggregate-to-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
{{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- appprojects
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.fullname" . }}-aggregate-to-admin
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- include "argo-cd.labels" (dict "context" .) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- appprojects
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
{{- end }}

23
manifests/argo-cd/templates/argocd-application-controller/clusterrole.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.controller.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
{{- if .Values.controller.clusterRoleRules.enabled }}
{{- toYaml .Values.controller.clusterRoleRules.rules | nindent 2 }}
{{- else }}
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
{{- end }}
{{- end }}

16
manifests/argo-cd/templates/argocd-application-controller/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "argo-cd.controller.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "argo-cd.controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.controller.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

416
manifests/argo-cd/templates/argocd-application-controller/deployment.yaml Normal file
View File

@ -0,0 +1,416 @@
{{- if .Values.controller.dynamicClusterDistribution }}
apiVersion: apps/v1
kind: Deployment
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.controller.deploymentAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
spec:
replicas: {{ .Values.controller.replicas }}
revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
template:
metadata:
annotations:
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
{{- if .Values.configs.cm.create }}
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.controller.runtimeClassName | default .Values.global.runtimeClassName }}
runtimeClassName: {{ . }}
{{- end }}
{{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.controller.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }}
containers:
- args:
- /usr/local/bin/argocd-application-controller
- --metrics-port={{ .Values.controller.containerPorts.metrics }}
{{- if .Values.controller.metrics.applicationLabels.enabled }}
{{- range .Values.controller.metrics.applicationLabels.labels }}
- --metrics-application-labels
- {{ . }}
{{- end }}
{{- end }}
{{- with .Values.controller.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
name: {{ .Values.controller.name }}
env:
{{- with (concat .Values.global.env .Values.controller.env) }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION
value: "true"
- name: ARGOCD_CONTROLLER_HEARTBEAT_TIME
value: {{ .Values.controller.heartbeatTime | quote }}
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
value: {{ template "argo-cd.controller.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.reconciliation
optional: true
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.hard.reconciliation
optional: true
- name: ARGOCD_RECONCILIATION_JITTER
valueFrom:
configMapKeyRef:
key: timeout.reconciliation.jitter
name: argocd-cm
optional: true
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.error.grace.period.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: repo.server
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.status.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.operation.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.format
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.level
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.metrics.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.factor
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.cap.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.plaintext
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.strict.tls
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.resource.health.persist
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.app.state.cache.expiration
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.server
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.compression
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.db
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
{{- else }}
key: auth
{{- end }}
optional: true
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
key: redis-sentinel-username
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
key: redis-sentinel-password
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.default.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: application.namespaces
optional: true
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.sharding.algorithm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.kubectl.parallelism.limit
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.max
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.base.backoff
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.diff.server.side
optional: true
- name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.ignore.normalizer.jq.timeout
optional: true
{{- with .Values.controller.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: metrics
containerPort: {{ .Values.controller.containerPorts.metrics }}
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
resources:
{{- toYaml .Values.controller.resources | nindent 10 }}
{{- with .Values.controller.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
workingDir: /home/argocd
volumeMounts:
{{- with .Values.controller.volumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
- mountPath: /app/config/controller/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd
name: argocd-home
- name: argocd-cmd-params-cm
mountPath: /home/argocd/params
{{- with .Values.controller.extraContainers }}
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with .Values.controller.initContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.controller) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.controller.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- with .Values.controller.volumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
- name: argocd-home
{{- if .Values.controller.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.controller.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
- name: argocd-cmd-params-cm
configMap:
optional: true
name: argocd-cmd-params-cm
items:
- key: controller.profile.enabled
path: profiler.enabled
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- with .Values.controller.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- end }}

35
manifests/argo-cd/templates/argocd-application-controller/metrics.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- if .Values.controller.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "argo-cd.controller.fullname" . }}-metrics
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" "metrics") | nindent 4 }}
{{- with .Values.controller.metrics.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.controller.metrics.service.annotations .Values.global.addPrometheusAnnotations }}
annotations:
{{- if .Values.global.addPrometheusAnnotations }}
prometheus.io/port: {{ .Values.controller.metrics.service.servicePort | quote }}
prometheus.io/scrape: "true"
{{- end }}
{{- range $key, $value := .Values.controller.metrics.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.controller.metrics.service.type }}
{{- if and .Values.controller.metrics.service.clusterIP (eq .Values.controller.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.controller.metrics.service.clusterIP }}
{{- end }}
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.controller.metrics.service.portName }}
protocol: TCP
port: {{ .Values.controller.metrics.service.servicePort }}
targetPort: metrics
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 4 }}
{{- end }}

20
manifests/argo-cd/templates/argocd-application-controller/networkpolicy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.global.networkPolicy.create }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
spec:
ingress:
- from:
- namespaceSelector: {}
ports:
- port: metrics
podSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
policyTypes:
- Ingress
{{- end }}

27
manifests/argo-cd/templates/argocd-application-controller/pdb.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.controller.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "argo-cd.controller.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- with .Values.controller.pdb.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.controller.pdb.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.controller.pdb.maxUnavailable }}
maxUnavailable: {{ . }}
{{- else }}
minAvailable: {{ .Values.controller.pdb.minAvailable | default 0 }}
{{- end }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
{{- end }}

24
manifests/argo-cd/templates/argocd-application-controller/prometheusrule.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.metrics.enabled .Values.controller.metrics.rules.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ default (include "argo-cd.namespace" .) .Values.controller.metrics.rules.namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- if .Values.controller.metrics.rules.selector }}
{{- toYaml .Values.controller.metrics.rules.selector | nindent 4 }}
{{- end }}
{{- if .Values.controller.metrics.rules.additionalLabels }}
{{- toYaml .Values.controller.metrics.rules.additionalLabels | nindent 4 }}
{{- end }}
{{- with .Values.controller.metrics.rules.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
groups:
- name: argocd
rules:
{{- toYaml .Values.controller.metrics.rules.spec | nindent 4 }}
{{- end }}

59
manifests/argo-cd/templates/argocd-application-controller/role.yaml Normal file
View File

@ -0,0 +1,59 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- create
- get
- list
- watch
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
{{- if and (not .Values.createClusterRoles) .Values.controller.dynamicClusterDistribution }}
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- argocd-app-controller-shard-cm
verbs:
- get
- list
- watch
- create
- update
{{- end }}

15
manifests/argo-cd/templates/argocd-application-controller/rolebinding.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "argo-cd.controller.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "argo-cd.controller.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.controller.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}

19
manifests/argo-cd/templates/argocd-application-controller/serviceaccount.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.controller.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.controller.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- with .Values.controller.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- with .Values.controller.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

51
manifests/argo-cd/templates/argocd-application-controller/servicemonitor.yaml Normal file
View File

@ -0,0 +1,51 @@
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.controller.metrics.enabled .Values.controller.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ default (include "argo-cd.namespace" .) .Values.controller.metrics.serviceMonitor.namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
{{- with .Values.controller.metrics.serviceMonitor.selector }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.controller.metrics.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.controller.metrics.serviceMonitor.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ .Values.controller.metrics.service.portName }}
{{- with .Values.controller.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.controller.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- with .Values.controller.metrics.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
honorLabels: {{ .Values.controller.metrics.serviceMonitor.honorLabels }}
{{- with .Values.controller.metrics.serviceMonitor.scheme }}
scheme: {{ . }}
{{- end }}
{{- with .Values.controller.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "argo-cd.namespace" . }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.controller.name "name" "metrics") | nindent 6 }}
{{- end }}

414
manifests/argo-cd/templates/argocd-application-controller/statefulset.yaml Normal file
View File

@ -0,0 +1,414 @@
{{- if not .Values.controller.dynamicClusterDistribution | default false }}
apiVersion: apps/v1
kind: StatefulSet
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.statefulsetAnnotations) .Values.controller.statefulsetAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.controller.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 4 }}
spec:
replicas: {{ .Values.controller.replicas }}
revisionHistoryLimit: {{ .Values.controller.revisionHistoryLimit | default .Values.global.revisionHistoryLimit }}
serviceName: {{ include "argo-cd.controller.fullname" . }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.controller.name) | nindent 6 }}
template:
metadata:
annotations:
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
{{- if .Values.configs.cm.create }}
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.controller.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.controller.name "name" .Values.controller.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.controller.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.controller.runtimeClassName | default .Values.global.runtimeClassName }}
runtimeClassName: {{ . }}
{{- end }}
{{- with .Values.controller.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.controller.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.controller.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }}
containers:
- args:
- /usr/local/bin/argocd-application-controller
- --metrics-port={{ .Values.controller.containerPorts.metrics }}
{{- if .Values.controller.metrics.applicationLabels.enabled }}
{{- range .Values.controller.metrics.applicationLabels.labels }}
- --metrics-application-labels
- {{ . }}
{{- end }}
{{- end }}
{{- with .Values.controller.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
image: {{ default .Values.global.image.repository .Values.controller.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.controller.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.controller.image.imagePullPolicy }}
name: {{ .Values.controller.name }}
env:
{{- with (concat .Values.global.env .Values.controller.env) }}
{{- toYaml . | nindent 10 }}
{{- end }}
- name: ARGOCD_CONTROLLER_REPLICAS
value: {{ .Values.controller.replicas | quote }}
- name: ARGOCD_APPLICATION_CONTROLLER_NAME
value: {{ template "argo-cd.controller.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.reconciliation
optional: true
- name: ARGOCD_HARD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.hard.reconciliation
optional: true
- name: ARGOCD_RECONCILIATION_JITTER
valueFrom:
configMapKeyRef:
key: timeout.reconciliation.jitter
name: argocd-cm
optional: true
- name: ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.error.grace.period.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: repo.server
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.status.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.operation.processors
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.format
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.log.level
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.metrics.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.timeout.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.factor
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.self.heal.backoff.cap.seconds
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.plaintext
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.repo.server.strict.tls
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.resource.health.persist
optional: true
- name: ARGOCD_APP_STATE_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.app.state.cache.expiration
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.server
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.compression
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.db
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
{{- else }}
key: auth
{{- end }}
optional: true
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
key: redis-sentinel-username
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
key: redis-sentinel-password
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.default.cache.expiration
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: application.namespaces
optional: true
- name: ARGOCD_CONTROLLER_SHARDING_ALGORITHM
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.sharding.algorithm
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.kubectl.parallelism.limit
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_MAX
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.max
optional: true
- name: ARGOCD_K8SCLIENT_RETRY_BASE_BACKOFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.k8sclient.retry.base.backoff
optional: true
- name: ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.diff.server.side
optional: true
- name: ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: controller.ignore.normalizer.jq.timeout
optional: true
{{- with .Values.controller.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
{{- end }}
ports:
- name: metrics
containerPort: {{ .Values.controller.containerPorts.metrics }}
protocol: TCP
readinessProbe:
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: {{ .Values.controller.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.controller.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.controller.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.controller.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.controller.readinessProbe.failureThreshold }}
resources:
{{- toYaml .Values.controller.resources | nindent 10 }}
{{- with .Values.controller.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
workingDir: /home/argocd
volumeMounts:
{{- with .Values.controller.volumeMounts }}
{{- toYaml . | nindent 8 }}
{{- end }}
- mountPath: /app/config/controller/tls
name: argocd-repo-server-tls
- mountPath: /home/argocd
name: argocd-home
- name: argocd-cmd-params-cm
mountPath: /home/argocd/params
{{- with .Values.controller.extraContainers }}
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with .Values.controller.initContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.controller) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.controller.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controller.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.controller.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- with .Values.controller.volumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
- name: argocd-home
{{- if .Values.controller.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.controller.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
- name: argocd-cmd-params-cm
configMap:
optional: true
name: argocd-cmd-params-cm
items:
- key: controller.profile.enabled
path: profiler.enabled
{{- if .Values.controller.hostNetwork }}
hostNetwork: {{ .Values.controller.hostNetwork }}
{{- end }}
{{- with .Values.controller.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.controller.dnsPolicy }}
{{- end }}

39
manifests/argo-cd/templates/argocd-applicationset/certificate.yaml Normal file
View File

@ -0,0 +1,39 @@
{{- if .Values.applicationSet.certificate.enabled -}}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.certificateAnnotations) .Values.applicationSet.certificate.annotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
spec:
secretName: argocd-applicationset-controller-tls
commonName: {{ .Values.applicationSet.certificate.domain | default .Values.global.domain }}
dnsNames:
- {{ .Values.applicationSet.certificate.domain | default .Values.global.domain }}
{{- range .Values.applicationSet.certificate.additionalHosts }}
- {{ . | quote }}
{{- end }}
{{- with .Values.applicationSet.certificate.duration }}
duration: {{ . | quote }}
{{- end }}
{{- with .Values.applicationSet.certificate.renewBefore }}
renewBefore: {{ . | quote }}
{{- end }}
issuerRef:
{{- with .Values.applicationSet.certificate.issuer.group }}
group: {{ . | quote }}
{{- end }}
kind: {{ .Values.applicationSet.certificate.issuer.kind | quote }}
name: {{ .Values.applicationSet.certificate.issuer.name | quote }}
{{- with .Values.applicationSet.certificate.privateKey }}
privateKey:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

90
manifests/argo-cd/templates/argocd-applicationset/clusterrole.yaml Normal file
View File

@ -0,0 +1,90 @@
{{- if .Values.applicationSet.allowAnyNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- applicationsets/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- applicationsets/status
verbs:
- get
- patch
- update
- apiGroups:
- argoproj.io
resources:
- appprojects
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- update
- delete
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
{{- end }}

16
manifests/argo-cd/templates/argocd-applicationset/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if .Values.applicationSet.allowAnyNamespace }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "argo-cd.applicationSet.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "argo-cd.applicationSet.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "argo-cd.applicationSet.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

342
manifests/argo-cd/templates/argocd-applicationset/deployment.yaml Normal file
View File

@ -0,0 +1,342 @@
apiVersion: apps/v1
kind: Deployment
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.applicationSet.deploymentAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
spec:
{{- with include "argo-cd.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.applicationSet.deploymentStrategy) }}
strategy:
{{- trim . | nindent 4 }}
{{- end }}
replicas: {{ .Values.applicationSet.replicas }}
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 6 }}
template:
metadata:
annotations:
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.applicationSet.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.applicationSet.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.applicationSet.runtimeClassName | default .Values.global.runtimeClassName }}
runtimeClassName: {{ . }}
{{- end }}
{{- with .Values.applicationSet.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.applicationSet.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.applicationSet.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.applicationSet.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.applicationSet.automountServiceAccountToken }}
containers:
- name: {{ .Values.applicationSet.name }}
image: {{ default .Values.global.image.repository .Values.applicationSet.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.applicationSet.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.applicationSet.image.imagePullPolicy }}
args:
- /usr/local/bin/argocd-applicationset-controller
- --metrics-addr=:{{ .Values.applicationSet.containerPorts.metrics }}
- --probe-addr=:{{ .Values.applicationSet.containerPorts.probe }}
- --webhook-addr=:{{ .Values.applicationSet.containerPorts.webhook }}
{{- with .Values.applicationSet.extraArgs }}
{{- toYaml . | nindent 12 }}
{{- end }}
env:
{{- with (concat .Values.global.env .Values.applicationSet.extraEnv) }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.global.preserved.annotations
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_LABELS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.global.preserved.labels
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.leader.election
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER
valueFrom:
configMapKeyRef:
key: repo.server
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_POLICY
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.policy
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.policy.override
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.debug
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.dryrun
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.progressive.syncs
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_NEW_GIT_FILE_GLOBBING
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.enable.new.git.file.globbing
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.repo.server.plaintext
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_STRICT_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.repo.server.strict.tls
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.repo.server.timeout.seconds
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_CONCURRENT_RECONCILIATIONS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.concurrent.reconciliations.max
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH
valueFrom:
configMapKeyRef:
key: applicationsetcontroller.scm.root.ca.path
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.allowed.scm.providers
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.enable.scm.providers
optional: true
- name: ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: applicationsetcontroller.webhook.parallelism.limit
optional: true
{{- with .Values.applicationSet.extraEnvFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: metrics
containerPort: {{ .Values.applicationSet.containerPorts.metrics }}
protocol: TCP
- name: probe
containerPort: {{ .Values.applicationSet.containerPorts.probe }}
protocol: TCP
- name: webhook
containerPort: {{ .Values.applicationSet.containerPorts.webhook }}
protocol: TCP
{{- if .Values.applicationSet.livenessProbe.enabled }}
livenessProbe:
tcpSocket:
port: probe
initialDelaySeconds: {{ .Values.applicationSet.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.applicationSet.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.applicationSet.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.applicationSet.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.applicationSet.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.applicationSet.readinessProbe.enabled }}
readinessProbe:
tcpSocket:
port: probe
initialDelaySeconds: {{ .Values.applicationSet.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.applicationSet.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.applicationSet.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.applicationSet.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.applicationSet.readinessProbe.failureThreshold }}
{{- end }}
resources:
{{- toYaml .Values.applicationSet.resources | nindent 12 }}
{{- with .Values.applicationSet.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
{{- with .Values.applicationSet.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /tmp
name: tmp
{{- with .Values.applicationSet.extraContainers }}
{{- tpl (toYaml .) $ | nindent 8 }}
{{- end }}
{{- with .Values.applicationSet.initContainers }}
initContainers:
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.applicationSet) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.applicationSet.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.applicationSet.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.applicationSet.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.applicationSet.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- with .Values.applicationSet.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
- name: ssh-known-hosts
configMap:
name: argocd-ssh-known-hosts-cm
- name: tls-certs
configMap:
name: argocd-tls-certs-cm
- name: gpg-keys
configMap:
name: argocd-gpg-keys-cm
- name: gpg-keyring
{{- if .Values.applicationSet.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.applicationSet.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: tmp
{{- if .Values.applicationSet.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.applicationSet.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
{{- with .Values.applicationSet.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.applicationSet.dnsPolicy }}

62
manifests/argo-cd/templates/argocd-applicationset/ingress.yaml Normal file
View File

@ -0,0 +1,62 @@
{{- if .Values.applicationSet.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.applicationSet.ingress.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.applicationSet.ingress.ingressClassName }}
ingressClassName: {{ . }}
{{- end }}
rules:
- host: {{ .Values.applicationSet.ingress.hostname | default .Values.global.domain }}
http:
paths:
{{- with .Values.applicationSet.ingress.extraPaths }}
{{- tpl (toYaml .) $ | nindent 10 }}
{{- end }}
- path: {{ .Values.applicationSet.ingress.path }}
pathType: {{ .Values.applicationSet.ingress.pathType }}
backend:
service:
name: {{ include "argo-cd.applicationSet.fullname" . }}
port:
number: {{ .Values.applicationSet.service.port }}
{{- range .Values.applicationSet.ingress.extraHosts }}
- host: {{ .name | quote }}
http:
paths:
- path: {{ default $.Values.applicationSet.ingress.path .path }}
pathType: {{ default $.Values.applicationSet.ingress.pathType .pathType }}
backend:
service:
name: {{ include "argo-cd.applicationSet.fullname" $ }}
port:
number: {{ $.Values.applicationSet.service.port }}
{{- end }}
{{- with .Values.applicationSet.ingress.extraRules }}
{{- tpl (toYaml .) $ | nindent 4 }}
{{- end }}
{{- if or .Values.applicationSet.ingress.tls .Values.applicationSet.ingress.extraTls }}
tls:
{{- if .Values.applicationSet.ingress.tls }}
- hosts:
- {{ .Values.applicationSet.ingress.hostname | default .Values.global.domain }}
secretName: argocd-applicationset-controller-tls
{{- end }}
{{- with .Values.applicationSet.ingress.extraTls }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

35
manifests/argo-cd/templates/argocd-applicationset/metrics.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- if .Values.applicationSet.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}-metrics
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" "metrics") | nindent 4 }}
{{- with .Values.applicationSet.metrics.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.applicationSet.metrics.service.annotations .Values.global.addPrometheusAnnotations }}
annotations:
{{- if .Values.global.addPrometheusAnnotations }}
prometheus.io/port: {{ .Values.applicationSet.metrics.service.servicePort | quote }}
prometheus.io/scrape: "true"
{{- end }}
{{- range $key, $value := .Values.applicationSet.metrics.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.applicationSet.metrics.service.type }}
{{- if and .Values.applicationSet.metrics.service.clusterIP (eq .Values.applicationSet.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.applicationSet.metrics.service.clusterIP }}
{{- end }}
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.applicationSet.metrics.service.portName }}
protocol: TCP
port: {{ .Values.applicationSet.metrics.service.servicePort }}
targetPort: metrics
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 4 }}
{{- end }}

26
manifests/argo-cd/templates/argocd-applicationset/networkpolicy.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if and .Values.global.networkPolicy.create (or .Values.applicationSet.metrics.enabled .Values.applicationSet.ingress.enabled) }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
spec:
ingress:
{{- if .Values.applicationSet.ingress.enabled }}
- ports:
- port: webhook
{{- end }}
{{- if .Values.applicationSet.metrics.enabled }}
- from:
- namespaceSelector: {}
ports:
- port: metrics
{{- end }}
podSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 6 }}
policyTypes:
- Ingress
{{- end }}

27
manifests/argo-cd/templates/argocd-applicationset/pdb.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.applicationSet.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.pdb.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.applicationSet.pdb.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.applicationSet.pdb.maxUnavailable }}
maxUnavailable: {{ . }}
{{- else }}
minAvailable: {{ .Values.applicationSet.pdb.minAvailable | default 0 }}
{{- end }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 6 }}
{{- end }}

89
manifests/argo-cd/templates/argocd-applicationset/role.yaml Normal file
View File

@ -0,0 +1,89 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- applicationsets
- applicationsets/finalizers
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- argoproj.io
resources:
- applicationsets/status
verbs:
- get
- patch
- update
- apiGroups:
- argoproj.io
resources:
- appprojects
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- update
- delete
- get
- list
- patch
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- apps
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- get
- list
- patch
- update
- watch

15
manifests/argo-cd/templates/argocd-applicationset/rolebinding.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "argo-cd.applicationSet.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}

25
manifests/argo-cd/templates/argocd-applicationset/service.yaml Normal file
View File

@ -0,0 +1,25 @@
apiVersion: v1
kind: Service
metadata:
{{- if .Values.applicationSet.service.annotations }}
annotations:
{{- range $key, $value := .Values.applicationSet.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.applicationSet.service.type }}
{{- include "argo-cd.dualStack" . | indent 2 }}
ports:
- name: {{ .Values.applicationSet.service.portName }}
port: {{ .Values.applicationSet.service.port }}
targetPort: webhook
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.applicationSet.name) | nindent 4 }}

19
manifests/argo-cd/templates/argocd-applicationset/serviceaccount.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.applicationSet.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.applicationSet.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.applicationSet.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- with .Values.applicationSet.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

51
manifests/argo-cd/templates/argocd-applicationset/servicemonitor.yaml Normal file
View File

@ -0,0 +1,51 @@
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.applicationSet.metrics.enabled .Values.applicationSet.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "argo-cd.applicationSet.fullname" . }}
namespace: {{ default (include "argo-cd.namespace" .) .Values.applicationSet.metrics.serviceMonitor.namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
{{- with .Values.applicationSet.metrics.serviceMonitor.selector }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.applicationSet.metrics.serviceMonitor.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.applicationSet.metrics.serviceMonitor.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ .Values.applicationSet.metrics.service.portName }}
{{- with .Values.applicationSet.metrics.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.applicationSet.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: /metrics
{{- with .Values.applicationSet.metrics.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.applicationSet.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
honorLabels: {{ .Values.applicationSet.metrics.serviceMonitor.honorLabels }}
{{- with .Values.applicationSet.metrics.serviceMonitor.scheme }}
scheme: {{ . }}
{{- end }}
{{- with .Values.applicationSet.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
namespaceSelector:
matchNames:
- {{ include "argo-cd.namespace" . }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.applicationSet.name "name" "metrics") | nindent 6 }}
{{- end }}

17
manifests/argo-cd/templates/argocd-configs/argocd-cm.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.configs.cm.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cm") | nindent 4 }}
{{- with .Values.configs.cm.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
data:
{{- include "argo-cd.config.cm" . | trim | nindent 2 }}
{{- end }}

17
manifests/argo-cd/templates/argocd-configs/argocd-cmd-params-cm.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.configs.params.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "cmd-params-cm") | nindent 4 }}
{{- if .Values.configs.params.annotations }}
annotations:
{{- range $key, $value := .Values.configs.params.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
data:
{{- include "argo-cd.config.params" . | trim | nindent 2 }}
{{- end }}

25
manifests/argo-cd/templates/argocd-configs/argocd-cmp-cm.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.configs.cmp.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmp-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "cmp-cm") | nindent 4 }}
{{- with .Values.configs.cmp.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
data:
{{- range $cmp_plugin, $cmp_plugin_config := .Values.configs.cmp.plugins }}
{{ $cmp_plugin }}.yaml: |
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: {{ $cmp_plugin }}
spec:
{{- toYaml $cmp_plugin_config | nindent 6 }}
{{- end }}
{{- end }}

25
manifests/argo-cd/templates/argocd-configs/argocd-dex-server-tls-secret.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if and .Values.dex.enabled .Values.dex.certificateSecret.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: argocd-dex-server-tls
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.dex.name "name" "dex-server-tls") | nindent 4 }}
{{- with .Values.dex.certificateSecret.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.dex.certificateSecret.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: kubernetes.io/tls
data:
{{- with .Values.dex.certificateSecret.ca }}
ca.crt: {{ . | b64enc | quote }}
{{- end }}
tls.crt: {{ .Values.dex.certificateSecret.crt | b64enc | quote }}
tls.key: {{ .Values.dex.certificateSecret.key | b64enc | quote }}
{{- end }}

17
manifests/argo-cd/templates/argocd-configs/argocd-gpg-keys-cm.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-gpg-keys-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "name" "gpg-keys-cm") | nindent 4 }}
{{- with .Values.configs.gpg.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- with .Values.configs.gpg.keys }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}

28
manifests/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if and .Values.notifications.enabled .Values.notifications.cm.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-notifications-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
data:
context: |
argocdUrl: {{ .Values.notifications.argocdUrl | default (printf "https://%s" .Values.global.domain) }}
{{- with .Values.notifications.context }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.notifications.notifiers }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.notifications.subscriptions }}
subscriptions: |
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.notifications.templates }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- with .Values.notifications.triggers }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

23
manifests/argo-cd/templates/argocd-configs/argocd-notifications-secret.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if and .Values.notifications.enabled .Values.notifications.secret.create }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.notifications.secret.name }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
{{- with .Values.notifications.secret.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.notifications.secret.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: Opaque
stringData:
{{- with .Values.notifications.secret.items }}
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

19
manifests/argo-cd/templates/argocd-configs/argocd-rbac-cm.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.configs.rbac.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "rbac-cm") | nindent 4 }}
{{- with .Values.configs.rbac.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- with (omit .Values.configs.rbac "create" "annotations") }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}
{{- end }}

25
manifests/argo-cd/templates/argocd-configs/argocd-repo-server-tls-secret.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.repoServer.certificateSecret.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: argocd-repo-server-tls
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" "repo-server-tls") | nindent 4 }}
{{- with .Values.repoServer.certificateSecret.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.repoServer.certificateSecret.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: kubernetes.io/tls
data:
{{- with .Values.repoServer.certificateSecret.ca }}
ca.crt: {{ . | b64enc | quote }}
{{- end }}
tls.crt: {{ .Values.repoServer.certificateSecret.crt | b64enc | quote }}
tls.key: {{ .Values.repoServer.certificateSecret.key | b64enc | quote }}
{{- end }}

49
manifests/argo-cd/templates/argocd-configs/argocd-secret.yaml Normal file
View File

@ -0,0 +1,49 @@
{{- if .Values.configs.secret.createSecret }}
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "secret") | nindent 4 }}
{{- with .Values.configs.secret.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.configs.secret.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: Opaque
{{- if or .Values.configs.secret.githubSecret (or .Values.configs.secret.gitlabSecret .Values.configs.secret.bitbucketUUID .Values.configs.secret.bitbucketServerSecret .Values.configs.secret.gogsSecret (and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password) .Values.configs.secret.argocdServerAdminPassword .Values.configs.secret.extra) }}
# Setting a blank data again will wipe admin password/key/cert
data:
{{- with .Values.configs.secret.githubSecret }}
webhook.github.secret: {{ . | b64enc }}
{{- end }}
{{- with .Values.configs.secret.gitlabSecret }}
webhook.gitlab.secret: {{ . | b64enc }}
{{- end }}
{{- with .Values.configs.secret.bitbucketServerSecret }}
webhook.bitbucketserver.secret: {{ . | b64enc }}
{{- end }}
{{- with .Values.configs.secret.bitbucketUUID }}
webhook.bitbucket.uuid: {{ . | b64enc }}
{{- end }}
{{- with .Values.configs.secret.gogsSecret }}
webhook.gogs.secret: {{ . | b64enc }}
{{- end }}
{{- if and .Values.configs.secret.azureDevops.username .Values.configs.secret.azureDevops.password }}
webhook.azuredevops.username: {{ .Values.configs.secret.azureDevops.username | b64enc }}
webhook.azuredevops.password: {{ .Values.configs.secret.azureDevops.password | b64enc }}
{{- end }}
{{- if .Values.configs.secret.argocdServerAdminPassword }}
admin.password: {{ .Values.configs.secret.argocdServerAdminPassword | b64enc }}
admin.passwordMtime: {{ default (dateInZone "2006-01-02T15:04:05Z" (now) "UTC") .Values.configs.secret.argocdServerAdminPasswordMtime | b64enc }}
{{- end }}
{{- range $key, $value := .Values.configs.secret.extra }}
{{ $key }}: {{ $value | b64enc }}
{{- end }}
{{- end }}
{{- end }}

22
manifests/argo-cd/templates/argocd-configs/argocd-server-tls-secret.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if and .Values.server.certificateSecret.enabled (not .Values.server.certificate.enabled) }}
apiVersion: v1
kind: Secret
metadata:
name: argocd-server-tls
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.server.name "name" "server-tls") | nindent 4 }}
{{- with .Values.server.certificateSecret.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.server.certificateSecret.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: kubernetes.io/tls
data:
tls.crt: {{ .Values.server.certificateSecret.crt | b64enc | quote }}
tls.key: {{ .Values.server.certificateSecret.key | b64enc | quote }}
{{- end }}

21
manifests/argo-cd/templates/argocd-configs/argocd-ssh-known-hosts-cm.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.configs.ssh.create }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-ssh-known-hosts-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "name" "ssh-known-hosts-cm") | nindent 4 }}
{{- with .Values.configs.ssh.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
data:
ssh_known_hosts: |
{{- .Values.configs.ssh.knownHosts | nindent 4 }}
{{- with .Values.configs.ssh.extraHosts }}
{{- . | nindent 4 }}
{{- end }}
{{- end }}

12
manifests/argo-cd/templates/argocd-configs/argocd-styles-cm.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.configs.styles }}
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-styles-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
data:
custom.styles.css: |
{{- .Values.configs.styles | nindent 4 }}
{{- end }}

17
manifests/argo-cd/templates/argocd-configs/argocd-tls-certs-cm.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-tls-certs-cm
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "name" "tls-certs-cm") | nindent 4 }}
{{- with .Values.configs.tls.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- with .Values.configs.tls.certificates }}
data:
{{- toYaml . | nindent 2 }}
{{- end }}

38
manifests/argo-cd/templates/argocd-configs/cluster-secrets.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- range $cluster_key, $cluster_value := .Values.configs.clusterCredentials }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "argo-cd.name" $ }}-cluster-{{ $cluster_key }}
namespace: {{ include "argo-cd.namespace" $ | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
{{- with $cluster_value.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
argocd.argoproj.io/secret-type: cluster
{{- with $cluster_value.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: Opaque
stringData:
{{- if $cluster_value.shard }}
shard: {{ $cluster_value.shard | quote }}
{{- end }}
name: {{ required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.name entry is required!" $cluster_key }}
server: {{ required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.server entry is required!" $cluster_value.server }}
{{- if $cluster_value.namespaces }}
namespaces: {{ $cluster_value.namespaces }}
{{- if $cluster_value.clusterResources }}
clusterResources: {{ $cluster_value.clusterResources | quote }}
{{- end }}
{{- end }}
{{- if $cluster_value.project }}
project: {{ $cluster_value.project | quote }}
{{- end }}
config: |
{{- required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.config entry is required!" $cluster_value.config | toRawJson | nindent 4 }}
{{- end }}

23
manifests/argo-cd/templates/argocd-configs/externalredis-secret.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if and (or .Values.externalRedis.username .Values.externalRedis.password) (not .Values.externalRedis.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: argocd-redis
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
{{- with .Values.externalRedis.secretAnnotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
type: Opaque
data:
{{- with .Values.externalRedis.username }}
redis-username: {{ . | b64enc }}
{{- end }}
{{- with .Values.externalRedis.password }}
redis-password: {{ . | b64enc }}
{{- end }}
{{- end }}

21
manifests/argo-cd/templates/argocd-configs/repository-credentials-secret.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- range $repo_cred_key, $repo_cred_value := .Values.configs.credentialTemplates }}
---
apiVersion: v1
kind: Secret
metadata:
name: argocd-repo-creds-{{ $repo_cred_key }}
namespace: {{ include "argo-cd.namespace" $ | quote }}
labels:
argocd.argoproj.io/secret-type: repo-creds
{{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
{{- with $.Values.configs.credentialTemplatesAnnotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
data:
{{- range $key, $value := $repo_cred_value }}
{{ $key }}: {{ $value | toString | b64enc }}
{{- end }}
{{- end }}

21
manifests/argo-cd/templates/argocd-configs/repository-secret.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- range $repo_key, $repo_value := .Values.configs.repositories }}
---
apiVersion: v1
kind: Secret
metadata:
name: argocd-repo-{{ $repo_key }}
namespace: {{ include "argo-cd.namespace" $ | quote }}
labels:
argocd.argoproj.io/secret-type: repository
{{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
{{- with $.Values.configs.repositoriesAnnotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
data:
{{- range $key, $value := $repo_value }}
{{ $key }}: {{ $value | b64enc }}
{{- end }}
{{- end }}

52
manifests/argo-cd/templates/argocd-notifications/clusterrole.yaml Normal file
View File

@ -0,0 +1,52 @@
{{- if and .Values.notifications.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.notifications.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
rules:
{{- with .Values.notifications.clusterRoleRules.rules }}
{{- toYaml . | nindent 2 }}
{{- end }}
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- list
- watch
{{- if (index .Values.configs.params "application.namespaces") }}
- create
{{- end }}
{{- if .Values.notifications.cm.create }}
- apiGroups:
- ""
resourceNames:
- argocd-notifications-cm
resources:
- configmaps
verbs:
- get
{{- end }}
- apiGroups:
- ""
resourceNames:
- {{ .Values.notifications.secret.name }}
resources:
- secrets
verbs:
- get
{{- end }}

16
manifests/argo-cd/templates/argocd-notifications/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.notifications.enabled .Values.createClusterRoles }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "argo-cd.notifications.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "argo-cd.notifications.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.notifications.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

207
manifests/argo-cd/templates/argocd-notifications/deployment.yaml Normal file
View File

@ -0,0 +1,207 @@
{{- if .Values.notifications.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.notifications.deploymentAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ include "argo-cd.notifications.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
spec:
replicas: 1
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
{{- with include "argo-cd.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.notifications.deploymentStrategy) }}
strategy:
{{- trim . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }}
template:
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.notifications.podAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.notifications.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.notifications.runtimeClassName | default .Values.global.runtimeClassName }}
runtimeClassName: {{ . }}
{{- end }}
{{- with .Values.notifications.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notifications.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.notifications.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.notifications.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.notifications.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.notifications.automountServiceAccountToken }}
containers:
- name: {{ .Values.notifications.name }}
image: {{ default .Values.global.image.repository .Values.notifications.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.notifications.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.notifications.image.imagePullPolicy }}
args:
- /usr/local/bin/argocd-notifications
- --metrics-port={{ .Values.notifications.containerPorts.metrics }}
- --loglevel={{ default .Values.global.logging.level .Values.notifications.logLevel }}
- --logformat={{ default .Values.global.logging.format .Values.notifications.logFormat }}
- --namespace={{ include "argo-cd.namespace" . }}
- --argocd-repo-server={{ template "argo-cd.repoServer.fullname" . }}:{{ .Values.repoServer.service.port }}
- --secret-name={{ .Values.notifications.secret.name }}
{{- range .Values.notifications.extraArgs }}
- {{ . | squote }}
{{- end }}
env:
{{- with (concat .Values.global.env .Values.notifications.extraEnv) }}
{{- toYaml . | nindent 12 }}
{{- end }}
- name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: notificationscontroller.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATIONS_CONTROLLER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: notificationscontroller.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_APPLICATION_NAMESPACES
valueFrom:
configMapKeyRef:
key: application.namespaces
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED
valueFrom:
configMapKeyRef:
key: notificationscontroller.selfservice.enabled
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_NOTIFICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
valueFrom:
configMapKeyRef:
key: notificationscontroller.repo.server.plaintext
name: argocd-cmd-params-cm
optional: true
{{- with .Values.notifications.extraEnvFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: metrics
containerPort: {{ .Values.notifications.containerPorts.metrics }}
protocol: TCP
{{- if .Values.notifications.livenessProbe.enabled }}
livenessProbe:
tcpSocket:
port: metrics
initialDelaySeconds: {{ .Values.notifications.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.notifications.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.notifications.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.notifications.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.notifications.livenessProbe.failureThreshold }}
{{- end }}
{{- if .Values.notifications.readinessProbe.enabled }}
readinessProbe:
tcpSocket:
port: metrics
initialDelaySeconds: {{ .Values.notifications.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.notifications.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.notifications.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.notifications.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.notifications.readinessProbe.failureThreshold }}
{{- end }}
resources:
{{- toYaml .Values.notifications.resources | nindent 12 }}
{{- with .Values.notifications.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 12 }}
{{- end }}
workingDir: /app
volumeMounts:
- name: tls-certs
mountPath: /app/config/tls
- name: argocd-repo-server-tls
mountPath: /app/config/reposerver/tls
{{- with .Values.notifications.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.notifications.extraContainers }}
{{- tpl (toYaml . ) $ | nindent 8 }}
{{- end }}
{{- with .Values.notifications.initContainers }}
initContainers:
{{- tpl (toYaml . ) $ | nindent 8 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.notifications) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.notifications.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notifications.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notifications.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.notifications.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- with .Values.notifications.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
- name: tls-certs
configMap:
name: argocd-tls-certs-cm
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
{{- with .Values.notifications.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.notifications.dnsPolicy }}
{{- end }}

35
manifests/argo-cd/templates/argocd-notifications/metrics.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- if and .Values.notifications.enabled .Values.notifications.metrics.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "argo-cd.notifications.fullname" . }}-metrics
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" "metrics") | nindent 4 }}
{{- with .Values.notifications.metrics.service.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.notifications.metrics.service.annotations .Values.global.addPrometheusAnnotations }}
annotations:
{{- if .Values.global.addPrometheusAnnotations }}
prometheus.io/port: {{ .Values.notifications.metrics.port | quote }}
prometheus.io/scrape: "true"
{{- end }}
{{- range $key, $value := .Values.notifications.metrics.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.notifications.metrics.service.type }}
{{- if and .Values.notifications.metrics.service.clusterIP (eq .Values.notifications.metrics.service.type "ClusterIP") }}
clusterIP: {{ .Values.notifications.metrics.service.clusterIP }}
{{- end }}
{{- include "argo-cd.dualStack" . | indent 2 }}
selector:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }}
ports:
- name: {{ .Values.notifications.metrics.service.portName }}
protocol: TCP
port: {{ .Values.notifications.metrics.port }}
targetPort: metrics
{{- end }}

20
manifests/argo-cd/templates/argocd-notifications/networkpolicy.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if and .Values.notifications.enabled .Values.global.networkPolicy.create .Values.notifications.metrics.enabled }}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ template "argo-cd.notifications.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
spec:
ingress:
- from:
- namespaceSelector: {}
ports:
- port: metrics
podSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }}
policyTypes:
- Ingress
{{- end }}

27
manifests/argo-cd/templates/argocd-notifications/pdb.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if and .Values.notifications.enabled .Values.notifications.pdb.enabled }}
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: {{ include "argo-cd.notifications.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
{{- with .Values.notifications.pdb.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.notifications.pdb.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
{{- with .Values.notifications.pdb.maxUnavailable }}
maxUnavailable: {{ . }}
{{- else }}
minAvailable: {{ .Values.notifications.pdb.minAvailable | default 0 }}
{{- end }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }}
{{- end }}

45
manifests/argo-cd/templates/argocd-notifications/role.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if .Values.notifications.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "argo-cd.notifications.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
rules:
- apiGroups:
- argoproj.io
resources:
- applications
- appprojects
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resourceNames:
- argocd-notifications-cm
resources:
- configmaps
verbs:
- get
- apiGroups:
- ""
resourceNames:
- {{ .Values.notifications.secret.name }}
resources:
- secrets
verbs:
- get
{{- end }}

17
manifests/argo-cd/templates/argocd-notifications/rolebinding.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- if .Values.notifications.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "argo-cd.notifications.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "argo-cd.notifications.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.notifications.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

19
manifests/argo-cd/templates/argocd-notifications/serviceaccount.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if and .Values.notifications.enabled .Values.notifications.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: {{ .Values.notifications.serviceAccount.automountServiceAccountToken }}
metadata:
name: {{ include "argo-cd.notifications.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- with .Values.notifications.serviceAccount.annotations }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
{{- with .Values.notifications.serviceAccount.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

51
manifests/argo-cd/templates/argocd-notifications/servicemonitor.yaml Normal file
View File

@ -0,0 +1,51 @@
{{- if and (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1") .Values.notifications.enabled .Values.notifications.metrics.enabled .Values.notifications.metrics.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "argo-cd.notifications.fullname" . }}
namespace: {{ default (include "argo-cd.namespace" .) .Values.notifications.metrics.serviceMonitor.namespace | quote }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
{{- with .Values.notifications.metrics.serviceMonitor.selector }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.notifications.metrics.serviceMonitor.additionalLabels }}
{{- toYaml .Values.notifications.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
{{- with .Values.notifications.metrics.serviceMonitor.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: {{ .Values.notifications.metrics.service.portName }}
path: /metrics
{{- if .Values.notifications.metrics.serviceMonitor.interval }}
interval: {{ .Values.notifications.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.notifications.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.notifications.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- with .Values.notifications.metrics.serviceMonitor.scheme }}
scheme: {{ . }}
{{- end }}
{{- with .Values.notifications.metrics.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notifications.metrics.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.notifications.metrics.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- toYaml . | nindent 8 }}
{{- end }}
honorLabels: {{ .Values.notifications.metrics.serviceMonitor.honorLabels }}
namespaceSelector:
matchNames:
- {{ include "argo-cd.namespace" . }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "component" .Values.notifications.name "name" "metrics") | nindent 6 }}
{{- end }}

23
manifests/argo-cd/templates/argocd-repo-server/clusterrole.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if and .Values.createClusterRoles .Values.repoServer.clusterRoleRules.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "argo-cd.repoServer.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
rules:
{{- with .Values.repoServer.clusterRoleRules.rules }}
{{- toYaml . | nindent 2 }}
{{- else }}
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
{{- end }}
{{- end }}

16
manifests/argo-cd/templates/argocd-repo-server/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,16 @@
{{- if and .Values.createClusterRoles .Values.repoServer.clusterRoleRules.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "argo-cd.repoServer.fullname" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "argo-cd.repoServer.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ include "argo-cd.repoServer.serviceAccountName" . }}
namespace: {{ include "argo-cd.namespace" . }}
{{- end }}

506
manifests/argo-cd/templates/argocd-repo-server/deployment.yaml Normal file
View File

@ -0,0 +1,506 @@
apiVersion: apps/v1
kind: Deployment
metadata:
{{- with (mergeOverwrite (deepCopy .Values.global.deploymentAnnotations) .Values.repoServer.deploymentAnnotations) }}
annotations:
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
name: {{ template "argo-cd.repoServer.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
spec:
{{- with include "argo-cd.strategy" (mergeOverwrite (deepCopy .Values.global.deploymentStrategy) .Values.repoServer.deploymentStrategy) }}
strategy:
{{- trim . | nindent 4 }}
{{- end }}
{{- if not .Values.repoServer.autoscaling.enabled }}
replicas: {{ .Values.repoServer.replicas }}
{{- end }}
revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
selector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.repoServer.name) | nindent 6 }}
template:
metadata:
annotations:
checksum/cmd-params: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmd-params-cm.yaml") . | sha256sum }}
{{- if .Values.repoServer.certificateSecret.enabled }}
checksum/repo-server-tls: {{ include (print $.Template.BasePath "/argocd-configs/argocd-repo-server-tls-secret.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.configs.cm.create }}
checksum/cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cm.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.configs.cmp.create }}
checksum/cmp-cm: {{ include (print $.Template.BasePath "/argocd-configs/argocd-cmp-cm.yaml") . | sha256sum }}
{{- end }}
{{- with (mergeOverwrite (deepCopy .Values.global.podAnnotations) .Values.repoServer.podAnnotations) }}
{{- range $key, $value := . }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 8 }}
{{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.repoServer.podLabels) }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.repoServer.runtimeClassName | default .Values.global.runtimeClassName }}
runtimeClassName: {{ . }}
{{- end }}
{{- with .Values.repoServer.imagePullSecrets | default .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.global.securityContext }}
securityContext:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.repoServer.priorityClassName | default .Values.global.priorityClassName }}
priorityClassName: {{ . }}
{{- end }}
{{- if .Values.repoServer.terminationGracePeriodSeconds }}
terminationGracePeriodSeconds: {{ .Values.repoServer.terminationGracePeriodSeconds }}
{{- end }}
serviceAccountName: {{ include "argo-cd.repoServer.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.repoServer.automountServiceAccountToken }}
containers:
- name: {{ .Values.repoServer.name }}
image: {{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}
args:
- /usr/local/bin/argocd-repo-server
- --port={{ .Values.repoServer.containerPorts.server }}
- --metrics-port={{ .Values.repoServer.containerPorts.metrics }}
{{- with .Values.repoServer.extraArgs }}
{{- toYaml . | nindent 8 }}
{{- end }}
env:
{{- with (concat .Values.global.env .Values.repoServer.env) }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.openshift.enabled }}
- name: USER_NAME
value: argocd
{{- end }}
- name: ARGOCD_REPO_SERVER_NAME
value: {{ template "argo-cd.repoServer.fullname" . }}
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
name: argocd-cm
key: timeout.reconciliation
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.log.format
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.log.level
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.parallelism.limit
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.listen.address
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.metrics.listen.address
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.disable.tls
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.tls.minversion
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.tls.maxversion
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.tls.ciphers
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.repo.cache.expiration
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.server
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.compression
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: redis.db
optional: true
- name: REDIS_USERNAME
valueFrom:
secretKeyRef:
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
key: redis-username
optional: true
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
{{- if .Values.externalRedis.host }}
key: redis-password
{{- else }}
key: auth
{{- end }}
optional: true
- name: REDIS_SENTINEL_USERNAME
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
key: redis-sentinel-username
optional: true
- name: REDIS_SENTINEL_PASSWORD
valueFrom:
secretKeyRef:
name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
key: redis-sentinel-password
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.default.cache.expiration
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.address
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.insecure
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: otlp.headers
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.max.combined.directory.manifests.size
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.plugin.tar.exclusions
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
name: argocd-cmd-params-cm
key: reposerver.disable.helm.manifest.max.extracted.size
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REVISION_CACHE_LOCK_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.revision.cache.lock.timeout
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_INCLUDE_HIDDEN_DIRECTORIES
valueFrom:
configMapKeyRef:
key: reposerver.include.hidden.directories
name: argocd-cmd-params-cm
optional: true
{{- if .Values.repoServer.useEphemeralHelmWorkingDir }}
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
{{- end }}
{{- with .Values.repoServer.envFrom }}
envFrom:
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
{{- if .Values.repoServer.volumeMounts }}
{{- toYaml .Values.repoServer.volumeMounts | nindent 8 }}
{{- end }}
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
{{- if .Values.repoServer.useEphemeralHelmWorkingDir }}
- mountPath: /helm-working-dir
name: helm-working-dir
{{- end }}
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
ports:
- name: repo-server
containerPort: {{ .Values.repoServer.containerPorts.server }}
protocol: TCP
- name: metrics
containerPort: {{ .Values.repoServer.containerPorts.metrics }}
protocol: TCP
livenessProbe:
httpGet:
path: /healthz?full=true
port: metrics
initialDelaySeconds: {{ .Values.repoServer.livenessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.repoServer.livenessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.repoServer.livenessProbe.timeoutSeconds }}
successThreshold: {{ .Values.repoServer.livenessProbe.successThreshold }}
failureThreshold: {{ .Values.repoServer.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: metrics
initialDelaySeconds: {{ .Values.repoServer.readinessProbe.initialDelaySeconds }}
periodSeconds: {{ .Values.repoServer.readinessProbe.periodSeconds }}
timeoutSeconds: {{ .Values.repoServer.readinessProbe.timeoutSeconds }}
successThreshold: {{ .Values.repoServer.readinessProbe.successThreshold }}
failureThreshold: {{ .Values.repoServer.readinessProbe.failureThreshold }}
resources:
{{- toYaml .Values.repoServer.resources | nindent 10 }}
{{- with .Values.repoServer.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.repoServer.lifecycle }}
lifecycle:
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.repoServer.extraContainers }}
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
initContainers:
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: {{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}
imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}
name: copyutil
resources:
{{- toYaml .Values.repoServer.resources | nindent 10 }}
{{- with .Values.repoServer.containerSecurityContext }}
securityContext:
{{- toYaml . | nindent 10 }}
{{- end }}
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
{{- with .Values.repoServer.initContainers }}
{{- tpl (toYaml .) $ | nindent 6 }}
{{- end }}
{{- with include "argo-cd.affinity" (dict "context" . "component" .Values.repoServer) }}
affinity:
{{- trim . | nindent 8 }}
{{- end }}
{{- with .Values.repoServer.nodeSelector | default .Values.global.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.repoServer.tolerations | default .Values.global.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.repoServer.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
topologySpreadConstraints:
{{- range $constraint := . }}
- {{ toYaml $constraint | nindent 8 | trim }}
{{- if not $constraint.labelSelector }}
labelSelector:
matchLabels:
{{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.repoServer.name) | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- with .Values.repoServer.volumes }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- if .Values.repoServer.useEphemeralHelmWorkingDir }}
- name: helm-working-dir
{{- if .Values.repoServer.existingVolumes.helmWorkingDir -}}
{{ toYaml .Values.repoServer.existingVolumes.helmWorkingDir | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
{{- end }}
- name: plugins
{{- if .Values.repoServer.existingVolumes.plugins -}}
{{ toYaml .Values.repoServer.existingVolumes.plugins | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: var-files
{{- if .Values.repoServer.existingVolumes.varFiles -}}
{{ toYaml .Values.repoServer.existingVolumes.varFiles | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: tmp
{{- if .Values.repoServer.existingVolumes.tmp -}}
{{ toYaml .Values.repoServer.existingVolumes.tmp | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: ssh-known-hosts
configMap:
name: argocd-ssh-known-hosts-cm
- name: tls-certs
configMap:
name: argocd-tls-certs-cm
- name: gpg-keys
configMap:
name: argocd-gpg-keys-cm
- name: gpg-keyring
{{- if .Values.repoServer.existingVolumes.gpgKeyring -}}
{{ toYaml .Values.repoServer.existingVolumes.gpgKeyring | nindent 8 }}
{{- else }}
{{- if .Values.repoServer.emptyDir.sizeLimit }}
emptyDir:
sizeLimit: {{ .Values.repoServer.emptyDir.sizeLimit }}
{{- else }}
emptyDir: {}
{{- end }}
{{- end }}
- name: argocd-repo-server-tls
secret:
secretName: argocd-repo-server-tls
optional: true
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
{{- if .Values.repoServer.hostNetwork }}
hostNetwork: {{ .Values.repoServer.hostNetwork }}
{{- end }}
{{- with .Values.repoServer.dnsConfig }}
dnsConfig:
{{- toYaml . | nindent 8 }}
{{- end }}
dnsPolicy: {{ .Values.repoServer.dnsPolicy }}

41
manifests/argo-cd/templates/argocd-repo-server/hpa.yaml Normal file
View File

@ -0,0 +1,41 @@
{{- if .Values.repoServer.autoscaling.enabled }}
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "argo-cd.repoServer.fullname" . }}
namespace: {{ include "argo-cd.namespace" . }}
labels:
{{- include "argo-cd.labels" (dict "context" . "component" .Values.repoServer.name "name" .Values.repoServer.name) | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "argo-cd.repoServer.fullname" . }}
minReplicas: {{ .Values.repoServer.autoscaling.minReplicas }}
maxReplicas: {{ .Values.repoServer.autoscaling.maxReplicas }}
metrics:
{{- with .Values.repoServer.autoscaling.metrics }}
{{- toYaml . | nindent 4 }}
{{- else }}
{{- with .Values.repoServer.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- with .Values.repoServer.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.repoServer.autoscaling.behavior }}
behavior:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

Some files were not shown because too many files have changed in this diff Show More