Merge pull request 'Update ArgoCD to v2.11.3 due to bug in multi sour…

…ce apps' (#274) from argocd-upgrade into master Reviewed-on: https://gitea.obmondo.com/EnableIT/KubeAid/pulls/274
Obmondo · Jun 15, 2024 · 7517c27 · 7517c27
2 parents ba1bc46 + 8b284b6
commit 7517c27
Show file tree

Hide file tree

Showing 31 changed files with 407 additions and 37 deletions.
diff --git a/argocd-helm-charts/argo-cd/Chart.yaml b/argocd-helm-charts/argo-cd/Chart.yaml
@@ -7,5 +7,5 @@ dependencies:
     # 2.3v argocd failes with remote value files
     # 3.35.4v helm chart fails also with bad path of the values files (this is the last release for 2.2.x argocd)
     # please stick to 3.29.5, why ? cause its a tested and the last working helm chart version
-    version: 6.9.2
+    version: "7.1.3"
     repository: https://argoproj.github.io/argo-helm
diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/Chart.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/Chart.yaml
@@ -1,12 +1,12 @@
 annotations:
   artifacthub.io/changes: |
-    - kind: added
-      description: Support ability to set .Values.namespaceOverride
+    - kind: fixed
+      description: Add missing permission for Dynamic Cluster Distribution
   artifacthub.io/signKey: |
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
 apiVersion: v2
-appVersion: v2.11.0
+appVersion: v2.11.3
 dependencies:
 - condition: redis-ha.enabled
   name: redis-ha
@@ -28,4 +28,4 @@ name: argo-cd
 sources:
 - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
 - https://github.com/argoproj/argo-cd
-version: 6.9.2
+version: 7.1.3
diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/README.md b/argocd-helm-charts/argo-cd/charts/argo-cd/README.md
@@ -278,6 +278,39 @@ For full list of changes please check ArtifactHub [changelog].
 
 Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
 
+### 6.10.0
+
+This version introduces authentication for Redis to mitigate GHSA-9766-5277-j5hr.
+
+#### How to rotate Redis secret?
+
+Upstream steps in the [FAQ] are not enough, since we chose a different approach.
+(We use a Kubernetes Job with [Chart Hooks] to create the auth secret `argocd-redis`.)
+
+Steps to roteate the secret when using the helm chart (bold step is additional to upstream):
+* Delete `argocd-redis` secret in the namespace where Argo CD is installed.
+  ```bash
+  kubectl delete secret argocd-redis -n <argocd namesapce>
+  ```
+* **Perform a helm upgrade**
+  ```bash
+  helm upgrade argocd argo/argo-cd --reuse-values --wait
+  ```
+* If you are running Redis in HA mode, restart Redis in HA.
+  ```bash
+  kubectl rollout restart deployment argocd-redis-ha-haproxy
+  kubectl rollout restart statefulset argocd-redis-ha-server
+  ```
+* If you are running Redis in non-HA mode, restart Redis.
+  ```bash
+  kubectl rollout restart deployment argocd-redis
+  ```
+* Restart other components.
+  ```bash
+  kubectl rollout restart deployment argocd-server argocd-repo-server
+  kubectl rollout restart statefulset argocd-application-controller
+  ```
+
 ### 6.9.0
 ApplicationSet controller is always created to follow [upstream's manifest](https://github.com/argoproj/argo-cd/blob/v2.11.0/manifests/core-install/kustomization.yaml#L9). 
 
@@ -638,6 +671,8 @@ NAME: my-release
 | global.deploymentAnnotations | object | `{}` | Annotations for the all deployed Deployments |
 | global.deploymentStrategy | object | `{}` | Deployment strategy for the all deployed Deployments |
 | global.domain | string | `"argocd.example.com"` | Default domain used by all components |
+| global.dualStack.ipFamilies | list | `[]` | IP families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. |
+| global.dualStack.ipFamilyPolicy | string | `""` | IP family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) |
 | global.env | list | `[]` | Environment variables to pass to all deployed Deployments |
 | global.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files |
 | global.image.imagePullPolicy | string | `"IfNotPresent"` | If defined, a imagePullPolicy applied to all Argo CD deployments |
@@ -662,7 +697,7 @@ NAME: my-release
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| configs.clusterCredentials | list | `[]` (See [values.yaml]) | Provide one or multiple [external cluster credentials] |
+| configs.clusterCredentials | object | `{}` (See [values.yaml]) | Provide one or multiple [external cluster credentials] |
 | configs.cm."admin.enabled" | bool | `true` | Enable local admin user |
 | configs.cm."application.instanceLabelKey" | string | `"argocd.argoproj.io/instance"` | The name of tracking label used by Argo CD for resource pruning |
 | configs.cm."exec.enabled" | bool | `false` | Enable exec feature in Argo UI |
@@ -1271,8 +1306,10 @@ The main options are listed here:
 |-----|------|---------|-------------|
 | redis-ha.additionalAffinities | object | `{}` | Additional affinities to add to the Redis server pods. |
 | redis-ha.affinity | string | `""` | Assign custom [affinity] rules to the Redis pods. |
+| redis-ha.auth | bool | `true` | Configures redis-ha with AUTH |
 | redis-ha.containerSecurityContext | object | See [values.yaml] | Redis HA statefulset container-level security context |
 | redis-ha.enabled | bool | `false` | Enables the Redis HA subchart and disables the custom Redis single node deployment |
+| redis-ha.existingSecret | string | `"argocd-redis"` | Existing Secret to use for redis-ha authentication. By default the redis-secret-init Job is generating this Secret. |
 | redis-ha.exporter.enabled | bool | `false` | Enable Prometheus redis-exporter sidecar |
 | redis-ha.exporter.image | string | `"public.ecr.aws/bitnami/redis-exporter"` | Repository to use for the redis-exporter |
 | redis-ha.exporter.tag | string | `"1.58.0"` | Tag to use for the redis-exporter |
@@ -1316,6 +1353,33 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | externalRedis.secretAnnotations | object | `{}` | External Redis Secret annotations |
 | externalRedis.username | string | `""` | External Redis username |
 
+### Redis secret-init
+
+The helm chart deploys a Job to setup a random password which is used to secure the Redis. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
+If you use an External Redis (See Option 3 above), this Job is not deployed.
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| redisSecretInit.containerSecurityContext | object | See [values.yaml] | Application controller container-level security context |
+| redisSecretInit.enabled | bool | `true` | Enable Redis secret initialization. If disabled, secret must be provisioned by alternative methods |
+| redisSecretInit.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the Redis secret-init Job |
+| redisSecretInit.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the Redis secret-init Job |
+| redisSecretInit.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the Redis secret-init Job |
+| redisSecretInit.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
+| redisSecretInit.jobAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job |
+| redisSecretInit.name | string | `"redis-secret-init"` | Redis secret-init name |
+| redisSecretInit.nodeSelector | object | `{}` (defaults to global.nodeSelector) | Node selector to be added to the Redis secret-init Job |
+| redisSecretInit.podAnnotations | object | `{}` | Annotations to be added to the Redis secret-init Job |
+| redisSecretInit.podLabels | object | `{}` | Labels to be added to the Redis secret-init Job |
+| redisSecretInit.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for Redis secret-init Job |
+| redisSecretInit.resources | object | `{}` | Resource limits and requests for Redis secret-init Job |
+| redisSecretInit.securityContext | object | `{}` | Redis secret-init Job pod-level security context |
+| redisSecretInit.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
+| redisSecretInit.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
+| redisSecretInit.serviceAccount.create | bool | `true` | Create a service account for the redis pod |
+| redisSecretInit.serviceAccount.name | string | `""` | Service account name for redis pod |
+| redisSecretInit.tolerations | list | `[]` (defaults to global.tolerations) | Tolerations to be added to the Redis secret-init Job |
+
 ## ApplicationSet
 
 | Key | Type | Default | Description |
@@ -1507,8 +1571,10 @@ Autogenerated from chart metadata using [helm-docs](https://github.com/norwoodj/
 [BackendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/concepts/backendconfig#backendconfigspec_v1beta1_cloudgooglecom
 [CSS styles]: https://argo-cd.readthedocs.io/en/stable/operator-manual/custom-styles/
 [changelog]: https://artifacthub.io/packages/helm/argo/argo-cd?modal=changelog
+[Chart Hooks]: https://helm.sh/docs/topics/charts_hooks/
 [DNS configuration]: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
 [external cluster credentials]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters
+[FAQ]: https://argo-cd.readthedocs.io/en/stable/faq/
 [FrontendConfigSpec]: https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
 [declarative setup]: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup
 [gRPC-ingress]: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/_helpers.tpl b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/_helpers.tpl
@@ -86,6 +86,25 @@ Create the name of the redis service account to use
 {{- end -}}
 {{- end -}}
 
+
+{{/*
+Create Redis secret-init name
+*/}}
+{{- define "argo-cd.redisSecretInit.fullname" -}}
+{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.redisSecretInit.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the Redis secret-init service account to use
+*/}}
+{{- define "argo-cd.redisSecretInit.serviceAccountName" -}}
+{{- if .Values.redisSecretInit.serviceAccount.create -}}
+    {{ default (include "argo-cd.redisSecretInit.fullname" .) .Values.redis.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.redisSecretInit.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Create argocd server name and version as used by the chart label.
 */}}
@@ -226,3 +245,15 @@ Allows overriding it for multi-namespace deployments in combined charts.
 {{- define "argo-cd.namespace" -}}
 {{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
 {{- end }}
+
+{{/*
+Dual stack definition
+*/}}
+{{- define "argo-cd.dualStack" -}}
+{{- with .Values.global.dualStack.ipFamilyPolicy }}
+ipFamilyPolicy: {{ . }}
+{{- end }}
+{{- with .Values.global.dualStack.ipFamilies }}
+ipFamilies: {{ toYaml . | nindent 4 }}
+{{- end }}
+{{- end }}
diff --git a/...elm-charts/argo-cd/charts/argo-cd/templates/argocd-application-controller/deployment.yaml b/...elm-charts/argo-cd/charts/argo-cd/templates/argocd-application-controller/deployment.yaml
@@ -199,15 +199,19 @@ spec:
           - name: REDIS_USERNAME
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
                 key: redis-username
                 optional: true
           - name: REDIS_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
+                {{- if .Values.externalRedis.host }}
                 key: redis-password
                 optional: true
+                {{- else }}
+                key: auth
+                {{- end }}
           - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
             valueFrom:
               configMapKeyRef:

diff --git a/...d-helm-charts/argo-cd/charts/argo-cd/templates/argocd-application-controller/metrics.yaml b/...d-helm-charts/argo-cd/charts/argo-cd/templates/argocd-application-controller/metrics.yaml
@@ -24,6 +24,7 @@ spec:
   {{- if and .Values.controller.metrics.service.clusterIP (eq .Values.controller.metrics.service.type "ClusterIP") }}
   clusterIP: {{ .Values.controller.metrics.service.clusterIP }}
   {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.controller.metrics.service.portName }}
     protocol: TCP

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-application-controller/role.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-application-controller/role.yaml
@@ -43,3 +43,17 @@ rules:
   - get
   - list
   - watch
+{{- if and (not .Values.createClusterRoles) .Values.controller.dynamicClusterDistribution }}
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  resourceNames:
+  - argocd-app-controller-shard-cm
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+{{- end }}
diff --git a/...lm-charts/argo-cd/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml b/...lm-charts/argo-cd/charts/argo-cd/templates/argocd-application-controller/statefulset.yaml
@@ -198,15 +198,19 @@ spec:
           - name: REDIS_USERNAME
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
                 key: redis-username
                 optional: true
           - name: REDIS_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
+                {{- if .Values.externalRedis.host }}
                 key: redis-password
                 optional: true
+                {{- else }}
+                key: auth
+                {{- end }}
           - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
             valueFrom:
               configMapKeyRef:

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-applicationset/metrics.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-applicationset/metrics.yaml
@@ -24,6 +24,7 @@ spec:
   {{- if and .Values.applicationSet.metrics.service.clusterIP (eq .Values.applicationSet.metrics.service.type "ClusterIP") }}
   clusterIP: {{ .Values.applicationSet.metrics.service.clusterIP }}
   {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name:  {{ .Values.applicationSet.metrics.service.portName }}
     protocol: TCP

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-applicationset/service.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-applicationset/service.yaml
@@ -16,6 +16,7 @@ metadata:
 {{- end }}
 spec:
   type: {{ .Values.applicationSet.service.type }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.applicationSet.service.portName }}
     port: {{ .Values.applicationSet.service.port }}

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-configs/cluster-secrets.yaml
@@ -1,35 +1,35 @@
-{{- range .Values.configs.clusterCredentials }}
+{{- range $cluster_key, $cluster_value := .Values.configs.clusterCredentials }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "argo-cd.name" $ }}-cluster-{{ .name }}
+  name: {{ include "argo-cd.name" $ }}-cluster-{{ $cluster_key }}
   namespace: {{ $.Release.Namespace | quote }}
   labels:
     {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}
-    {{- with .labels }}
+    {{- with $cluster_value.labels }}
       {{- toYaml . | nindent 4 }}
     {{- end }}
     argocd.argoproj.io/secret-type: cluster
-  {{- with .annotations }}
+  {{- with $cluster_value.annotations }}
   annotations:
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
 type: Opaque
 stringData:
-  name: {{ required "A valid .Values.configs.clusterCredentials[].name entry is required!" .name }}
-  server: {{ required "A valid .Values.configs.clusterCredentials[].server entry is required!" .server }}
-  {{- if .namespaces }}
-  namespaces: {{ .namespaces }}
-    {{- if .clusterResources }}
-  clusterResources: {{ .clusterResources | quote }}
+  name: {{ required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.name entry is required!" $cluster_key }}
+  server: {{ required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.server entry is required!" $cluster_value.server }}
+  {{- if $cluster_value.namespaces }}
+  namespaces: {{ $cluster_value.namespaces }}
+    {{- if $cluster_value.clusterResources }}
+  clusterResources: {{ $cluster_value.clusterResources | quote }}
     {{- end }}
   {{- end }}
-  {{- if .project }}
-  project: {{ .project | quote }}
+  {{- if $cluster_value.project }}
+  project: {{ $cluster_value.project | quote }}
   {{- end }}
   config: |
-    {{- required "A valid .Values.configs.clusterCredentials[].config entry is required!" .config | toRawJson | nindent 4 }}
+    {{- required "A valid .Values.configs.clusterCredentials.CLUSTERNAME.config entry is required!" $cluster_value.config | toRawJson | nindent 4 }}
 {{- end }}
diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-configs/externalredis-secret.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "argo-cd.redis.fullname" . }}
+  name: argocd-redis
   namespace: {{ include  "argo-cd.namespace" . }}
   labels:
     {{- include "argo-cd.labels" (dict "context" $) | nindent 4 }}

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-notifications/metrics.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-notifications/metrics.yaml
@@ -24,6 +24,7 @@ spec:
   {{- if and .Values.notifications.metrics.service.clusterIP (eq .Values.notifications.metrics.service.type "ClusterIP") }}
   clusterIP: {{ .Values.notifications.metrics.service.clusterIP }}
   {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   selector:
     {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.notifications.name) | nindent 6 }}
   ports:

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-repo-server/deployment.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-repo-server/deployment.yaml
@@ -175,15 +175,19 @@ spec:
           - name: REDIS_USERNAME
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
                 key: redis-username
                 optional: true
           - name: REDIS_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ default (include "argo-cd.redis.fullname" .) .Values.externalRedis.existingSecret }}
+                name: {{ default "argocd-redis" .Values.externalRedis.existingSecret }}
+                {{- if .Values.externalRedis.host }}
                 key: redis-password
                 optional: true
+                {{- else }}
+                key: auth
+                {{- end }}
           - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
             valueFrom:
               configMapKeyRef:

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-repo-server/metrics.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-repo-server/metrics.yaml
@@ -24,6 +24,7 @@ spec:
   {{- if and .Values.repoServer.metrics.service.clusterIP (eq .Values.repoServer.metrics.service.type "ClusterIP") }}
   clusterIP: {{ .Values.repoServer.metrics.service.clusterIP }}
   {{- end }}
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.repoServer.metrics.service.portName }}
     protocol: TCP

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-repo-server/service.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-repo-server/service.yaml
@@ -15,6 +15,7 @@ metadata:
   name: {{ template "argo-cd.repoServer.fullname" . }}
   namespace: {{ include  "argo-cd.namespace" . }}
 spec:
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.repoServer.service.portName }}
     protocol: TCP

diff --git a/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-server/aws/service.yaml b/argocd-helm-charts/argo-cd/charts/argo-cd/templates/argocd-server/aws/service.yaml
@@ -9,6 +9,7 @@ metadata:
   name: {{ template "argo-cd.server.fullname" . }}-grpc
   namespace: {{ include  "argo-cd.namespace" . }}
 spec:
+  {{- include "argo-cd.dualStack" . | indent 2 }}
   ports:
   - name: {{ .Values.server.service.servicePortHttpName }}
     protocol: TCP