DirectorySecurity AdvisoriesPricing
Sign in
Directory
argo-workflows logoHELM

argo-workflows

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
images:
2
# -- Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`.
3
tag: ""
4
# -- imagePullPolicy to apply to all containers
5
pullPolicy: Always
6
# -- Secrets with credentials to pull images from a private registry
7
pullSecrets: []
8
# - name: argo-pull-secret
9
## Custom resource configuration
10
crds:
11
# -- Install and upgrade CRDs
12
install: true
13
# -- Keep CRDs on chart uninstall
14
keep: true
15
# -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
16
# Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
17
full: true
18
# -- Annotations to be added to all CRDs (only applies when crds.full=false)
19
annotations: {}
20
# Configuration for the CRD install Job (only used when crds.full=true)
21
upgradeJob:
22
# -- Image for the kubectl container that applies CRDs
23
image:
24
# -- Repository for the kubectl image
25
repository: cgr.dev/chainguard-private/kubectl
26
# -- Tag for the kubectl image
27
tag: latest@sha256:31b8e0d54fe3d9eef194cb082bbfc82e5595c428479ed68609cb38b46469605a
28
# -- Override base URL to download full CRD YAML files from. Defaults to this chart's release tag on GitHub. Ignored if hostPath is set.
29
crdBaseURL: ""
30
# -- Host path to mount CRD files from (for local/CI testing). When set, CRDs are applied from this path instead of downloading.
31
hostPath: ""
32
# -- Resources for the CRD install Job containers
33
resources: {}
34
# -- Node selector for the CRD install Job
35
nodeSelector: {}
36
# -- Pod security context for the CRD install Job pod
37
podSecurityContext: {}
38
# -- Tolerations for the CRD install Job
39
tolerations: []
40
# -- Image pull secrets for the CRD install Job
41
imagePullSecrets: []
42
# -- Security context for the CRD install Job container
43
securityContext:
44
readOnlyRootFilesystem: true
45
runAsNonRoot: true
46
allowPrivilegeEscalation: false
47
runAsUser: 65532
48
runAsGroup: 65532
49
seccompProfile:
50
type: RuntimeDefault
51
capabilities:
52
drop:
53
- ALL
54
# -- Extra environment variables to provide to the CRD install Job container
55
extraEnv: []
56
# - name: HTTP_PROXY
57
# value: "http://proxy.example.com:8080"
58
# - name: HTTPS_PROXY
59
# value: "http://proxy.example.com:8080"
60
# - name: NO_PROXY
61
# value: "localhost,127.0.0.1,10.96.0.0/12,192.168.0.0/16"
62
# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
63
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
64
createAggregateRoles: true
65
# -- String to partially override "argo-workflows.fullname" template
66
nameOverride:
67
# -- String to fully override "argo-workflows.fullname" template
68
fullnameOverride:
69
# -- Override the namespace
70
# @default -- `.Release.Namespace`
71
namespaceOverride: ""
72
# -- Labels to set on all resources
73
commonLabels: {}
74
# -- Override the Kubernetes version, which is used to evaluate certain manifests
75
kubeVersionOverride: ""
76
# Override APIVersions
77
apiVersionOverrides:
78
# -- String to override apiVersion of autoscaling rendered by this helm chart
79
autoscaling: "" # autoscaling/v2
80
# -- String to override apiVersion of GKE resources rendered by this helm chart
81
cloudgoogle: "" # cloud.google.com/v1
82
# -- String to override apiVersion of monitoring CRDs (ServiceMonitor) rendered by this helm chart
83
monitoring: "" # monitoring.coreos.com/v1
84
# -- Restrict Argo to operate only in a single namespace (the namespace of the
85
# Helm release) by apply Roles and RoleBindings instead of the Cluster
86
# equivalents, and start workflow-controller with the --namespaced flag. Use it
87
# in clusters with strict access policy.
88
singleNamespace: false
89
workflow:
90
# -- Deprecated; use controller.workflowNamespaces instead.
91
namespace:
92
serviceAccount:
93
# -- Specifies whether a service account should be created
94
create: false
95
# -- Specifies whether a secret for each service account should be created
96
createSecret: false
97
# -- Labels applied to created service account
98
labels: {}
99
# -- Annotations applied to created service account
100
annotations: {}
101
# -- Service account which is used to run workflows
102
name: "argo-workflow"
103
# -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
104
pullSecrets: []
105
rbac:
106
# -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
107
# A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
108
create: true
109
# -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
110
agentPermissions: false
111
# -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
112
artifactGC: false
113
# -- Extra service accounts to be added to the RoleBinding
114
serviceAccounts: []
115
# - name: my-service-account
116
# namespace: my-namespace
117
# -- Additional rules for the service account that runs the workflows.
118
rules: []
119
controller:
120
image:
121
# -- Registry to use for the controller
122
registry: cgr.dev
123
# -- Registry to use for the controller
124
repository: chainguard-private/argo-workflowcontroller
125
# -- Image tag for the workflow controller. Defaults to `.Values.images.tag`.
126
tag: latest@sha256:726a165ebadfed320a22b96a066b69a556cdf02978a25aab6270f5e5799f8ff1
127
# -- parallelism dictates how many workflows can be running at the same time
128
parallelism:
129
# -- Globally limits the rate at which pods are created.
130
# This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of
131
# parallel nodes.
132
resourceRateLimit: {}
133
# limit: 10
134
# burst: 1
135
136
rbac:
137
# -- Adds Role and RoleBinding for the controller.
138
create: true
139
# -- Allows controller to get, list, and watch certain k8s secrets
140
secretWhitelist: []
141
# -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
142
accessAllSecrets: false
143
# -- Allows controller to create and update ConfigMaps. Enables memoization feature
144
writeConfigMaps: false
145
configMap:
146
# -- Create a ConfigMap for the controller
147
create: true
148
# -- ConfigMap name
149
name: ""
150
# -- ConfigMap annotations
151
annotations: {}
152
# -- Limits the maximum number of incomplete workflows in a namespace
153
namespaceParallelism:
154
# -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224
155
initialDelay:
156
# -- deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment
157
deploymentAnnotations: {}
158
# -- podAnnotations is an optional map of annotations to be applied to the controller Pods
159
podAnnotations: {}
160
# -- Optional labels to add to the controller pods
161
podLabels: {}
162
# -- SecurityContext to set on the controller pods
163
podSecurityContext: {}
164
# podPortName: http
165
metricsConfig:
166
# -- Enables prometheus metrics server
167
enabled: false
168
# -- Path is the path where metrics are emitted. Must start with a "/".
169
path: /metrics
170
# -- Frequency at which prometheus scrapes metrics
171
interval: 30s
172
# -- Port is the port where metrics are emitted
173
port: 9090
174
# -- How often custom metrics are cleared from memory
175
metricsTTL: ""
176
# -- Flag that instructs prometheus to ignore metric emission errors.
177
ignoreErrors: false
178
# -- Flag that use a self-signed cert for TLS
179
secure: false
180
# -- Container metrics port name
181
portName: metrics
182
# -- Service metrics port
183
servicePort: 8080
184
# -- Service metrics port name
185
servicePortName: metrics
186
# -- serviceMonitor scheme
187
scheme: http
188
# -- Flag to enable headless service
189
headlessService: false
190
# -- When true, honorLabels preserves the metric’s labels when they collide with the target’s labels.
191
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#honorlabels
192
honorLabels: false
193
# -- ServiceMonitor relabel configs to apply to samples before scraping
194
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
195
relabelings: []
196
# -- ServiceMonitor metric relabel configs to apply to samples before ingestion
197
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint
198
metricRelabelings: []
199
# -- ServiceMonitor will add labels from the service to the Prometheus metric
200
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec
201
targetLabels: []
202
# -- Manipulate the metrics created by the workflow controller
203
## Ref: https://argo-workflows.readthedocs.io/en/latest/metrics/#modifiers
204
modifiers: {}
205
# -- the controller container's securityContext
206
securityContext:
207
readOnlyRootFilesystem: true
208
runAsNonRoot: true
209
allowPrivilegeEscalation: false
210
capabilities:
211
drop:
212
- ALL
213
# -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
214
## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
215
persistence: {}
216
# connectionPool:
217
# maxIdleConns: 100
218
# maxOpenConns: 0
219
# # save the entire workflow into etcd and DB
220
# nodeStatusOffLoad: false
221
# # enable archiving of old workflows
222
# archive: false
223
# postgresql:
224
# host: localhost
225
# port: 5432
226
# database: postgres
227
# tableName: argo_workflows
228
# # the database secrets must be in the same namespace of the controller
229
# userNameSecret:
230
# name: argo-postgres-config
231
# key: username
232
# passwordSecret:
233
# name: argo-postgres-config
234
# key: password
235
# ssl: true
236
# # sslMode must be one of: disable, require, verify-ca, verify-full
237
# # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
238
# sslMode: require
239
# mysql:
240
# host: localhost
241
# port: 3306
242
# database: argo
243
# tableName: argo_workflows
244
# userNameSecret:
245
# name: argo-mysql-config
246
# key: username
247
# passwordSecret:
248
# name: argo-mysql-config
249
# key: password
250
251
# -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
252
# Only valid for 2.7+
253
## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
254
workflowDefaults: {}
255
# spec:
256
# ttlStrategy:
257
# secondsAfterCompletion: 86400
258
# # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
259
# artifactRepositoryRef:
260
# configMap: my-artifact-repository # default is "artifact-repositories"
261
# key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
262
263
# -- Number of workflow workers
264
workflowWorkers: # 32
265
# -- Number of workflow TTL workers
266
workflowTTLWorkers: # 4
267
# -- Number of pod cleanup workers
268
podCleanupWorkers: # 4
269
# -- Number of cron workflow workers
270
# Only valid for 3.5+
271
cronWorkflowWorkers: # 8
272
# -- Restricts the Workflows that the controller will process.
273
# Only valid for 2.9+
274
workflowRestrictions: {}
275
# templateReferencing: Strict|Secure
276
277
# telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint
278
# as metrics by default, but can be overridden using this config.
279
telemetryConfig:
280
# -- Enables prometheus telemetry server
281
enabled: false
282
# -- telemetry path
283
path: /telemetry
284
# -- Frequency at which prometheus scrapes telemetry data
285
interval: 30s
286
# -- telemetry container port
287
port: 8081
288
# -- How often custom metrics are cleared from memory
289
metricsTTL: ""
290
# -- Flag that instructs prometheus to ignore metric emission errors.
291
ignoreErrors: false
292
# -- Flag that use a self-signed cert for TLS
293
secure: false
294
# -- telemetry service port
295
servicePort: 8081
296
# -- telemetry service port name
297
servicePortName: telemetry
298
# -- telemetry serviceMonitor scheme to use
299
scheme: http
300
serviceMonitor:
301
# -- Enable a prometheus ServiceMonitor
302
enabled: false
303
# -- Prometheus ServiceMonitor labels
304
additionalLabels: {}
305
# -- Prometheus ServiceMonitor namespace
306
namespace: "" # "monitoring"
307
serviceAccount:
308
# -- Create a service account for the controller
309
create: true
310
# -- Service account name
311
name: ""
312
# -- Labels applied to created service account
313
labels: {}
314
# -- Annotations applied to created service account
315
annotations: {}
316
# -- Workflow controller name string
317
name: workflow-controller
318
# -- Specify all namespaces where this workflow controller instance will manage
319
# workflows. This controls where the service account and RBAC resources will
320
# be created. Only valid when singleNamespace is false.
321
workflowNamespaces:
322
- default
323
instanceID:
324
# -- Configures the controller to filter workflow submissions
325
# to only those which have a matching instanceID attribute.
326
## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
327
## or `instanceID.explicitID` must be defined.
328
enabled: false
329
# -- Use ReleaseName as instanceID
330
useReleaseName: false
331
# useReleaseName: true
332
333
# -- Use a custom instanceID
334
explicitID: ""
335
# explicitID: unique-argo-controller-identifier
336
logging:
337
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
338
level: info
339
# -- Set the glog logging level
340
globallevel: "0"
341
# -- Set the logging format (one of: `text`, `json`)
342
format: "text"
343
# -- Service type of the controller Service
344
serviceType: ClusterIP
345
# -- Annotations to be applied to the controller Service
346
serviceAnnotations: {}
347
# -- Optional labels to add to the controller Service
348
serviceLabels: {}
349
# -- The class of the load balancer implementation
350
loadBalancerClass: ""
351
# -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
352
loadBalancerSourceRanges: []
353
# -- Resource limits and requests for the controller
354
resources: {}
355
# -- Configure liveness [probe] for the controller
356
# @default -- See [values.yaml]
357
livenessProbe:
358
httpGet:
359
port: 6060
360
path: /healthz
361
failureThreshold: 3
362
initialDelaySeconds: 90
363
periodSeconds: 60
364
timeoutSeconds: 30
365
# -- Extra environment variables to provide to the controller container
366
extraEnv: []
367
# - name: FOO
368
# value: "bar"
369
370
# -- Extra arguments to be added to the controller
371
extraArgs: []
372
# -- Additional volume mounts to the controller main container
373
volumeMounts: []
374
# -- Additional volumes to the controller pod
375
volumes: []
376
# -- The number of controller pods to run
377
replicas: 1
378
# -- The number of revisions to keep.
379
revisionHistoryLimit: 10
380
pdb:
381
# -- Configure [Pod Disruption Budget] for the controller pods
382
enabled: false
383
# minAvailable: 1
384
# maxUnavailable: 1
385
# -- [Node selector]
386
nodeSelector:
387
kubernetes.io/os: linux
388
# -- [Tolerations] for use with node taints
389
tolerations: []
390
# -- Assign custom [affinity] rules
391
affinity: {}
392
# -- Assign custom [TopologySpreadConstraints] rules to the workflow controller
393
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
394
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
395
topologySpreadConstraints: []
396
# - maxSkew: 1
397
# topologyKey: topology.kubernetes.io/zone
398
# whenUnsatisfiable: DoNotSchedule
399
400
# -- Leverage a PriorityClass to ensure your pods survive resource shortages.
401
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
402
priorityClassName: ""
403
# -- Configure Argo Server to show custom [links]
404
## Ref: https://argo-workflows.readthedocs.io/en/stable/links/
405
links: []
406
# -- Configure Argo Server to show custom [columns]
407
## Ref: https://github.com/argoproj/argo-workflows/pull/10693
408
columns: []
409
# -- Set ui navigation bar background color
410
navColor: ""
411
clusterWorkflowTemplates:
412
# -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
413
enabled: true
414
# -- Extra service accounts to be added to the ClusterRoleBinding
415
serviceAccounts: []
416
# - name: my-service-account
417
# namespace: my-namespace
418
# -- Extra containers to be added to the controller deployment
419
extraContainers: []
420
# -- Enables init containers to be added to the controller deployment
421
extraInitContainers: []
422
# -- Workflow retention by number of workflows
423
retentionPolicy: {}
424
# completed: 10
425
# failed: 3
426
# errored: 3
427
428
nodeEvents:
429
# -- Enable to emit events on node completion.
430
## This can take up a lot of space in k8s (typically etcd) resulting in errors when trying to create new events:
431
## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
432
enabled: true
433
workflowEvents:
434
# -- Enable to emit events on workflow status changes.
435
## This can take up a lot of space in k8s (typically etcd), resulting in errors when trying to create new events:
436
## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
437
enabled: true
438
# -- Configure when workflow controller runs in a different k8s cluster with the workflow workloads,
439
# or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret.
440
# @default -- `{}` (See [values.yaml])
441
kubeConfig: {}
442
# # name of the kubeconfig secret, may not be empty when kubeConfig specified
443
# secretName: kubeconfig-secret
444
# # key of the kubeconfig secret, may not be empty when kubeConfig specified
445
# secretKey: kubeconfig
446
# # mounting path of the kubeconfig secret, default to /kube/config
447
# mountPath: /kubeconfig/mount/path
448
# # volume name when mounting the secret, default to kubeconfig
449
# volumeName: kube-config-volume
450
451
# -- Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately.
452
# @default -- `30` seconds (Kubernetes default)
453
podGCGracePeriodSeconds:
454
# -- The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately.
455
# @default -- `5s` (Argo Workflows default)
456
podGCDeleteDelayDuration: ""
457
# -- enable Synchronization to use a database. Postgres and MySQL (>= 5.7.8) are available.
458
## Ref: https://argo-workflows.readthedocs.io/en/latest/workflow-controller-configmap/#syncconfig
459
synchronization: {}
460
# controllerName: argo-workflows
461
# connectionPool:
462
# maxIdleConns: 100
463
# maxOpenConns: 0
464
# postgresql:
465
# host: localhost
466
# port: 5432
467
# database: postgres
468
# tableName: argo_workflows
469
# # the database secrets must be in the same namespace of the controller
470
# userNameSecret:
471
# name: argo-postgres-config
472
# key: username
473
# passwordSecret:
474
# name: argo-postgres-config
475
# key: password
476
# ssl: true
477
# # sslMode must be one of: disable, require, verify-ca, verify-full
478
# # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
479
# sslMode: require
480
# mysql:
481
# host: localhost
482
# port: 3306
483
# database: argo
484
# tableName: argo_workflows
485
# userNameSecret:
486
# name: argo-mysql-config
487
# key: username
488
# passwordSecret:
489
# name: argo-mysql-config
490
# key: password
491
492
failedPodRestart:
493
# -- Enable to restart of pods that fail before entering Running state.
494
## This is useful for recovering from transient infrastructure issues like node eviction due to DiskPressure or MemoryPressure without requiring a retryStrategy on every template.
495
## ref: https://argo-workflows.readthedocs.io/en/latest/pod-restarts/
496
enabled: false
497
# -- Maximum number of automatic restarts per node before giving up.
498
maxRestarts: 3
499
# mainContainer adds default config for main container that could be overriden in workflows template
500
mainContainer:
501
# -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`.
502
imagePullPolicy: ""
503
# -- Resource limits and requests for the Workflow main container
504
resources: {}
505
# -- Adds environment variables for the Workflow main container
506
env: []
507
# -- Adds reference environment variables for the Workflow main container
508
envFrom: []
509
# -- sets security context for the Workflow main container
510
securityContext: {}
511
# executor controls how the init and wait container should be customized
512
executor:
513
image:
514
# -- Registry to use for the Workflow Executors
515
registry: cgr.dev
516
# -- Repository to use for the Workflow Executors
517
repository: chainguard-private/argo-exec
518
# -- Image tag for the workflow executor. Defaults to `.Values.images.tag`.
519
tag: latest@sha256:c932e2e04d37559f36831be1a5b1724abe9db541fd015df9358419e8eb10b5f5
520
# -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`.
521
pullPolicy: ""
522
# -- Resource limits and requests for the Workflow Executors
523
resources: {}
524
# -- Passes arguments to the executor processes
525
args: []
526
# -- Adds environment variables for the executor.
527
env: []
528
# -- sets security context for the executor container
529
securityContext: {}
530
server:
531
# -- Deploy the Argo Server
532
enabled: true
533
# -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
534
## only updates base url of resources on client side,
535
## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
536
## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
537
baseHref: /
538
image:
539
# -- Registry to use for the server
540
registry: cgr.dev
541
# -- Repository to use for the server
542
repository: chainguard-private/argo-cli
543
# -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
544
tag: latest@sha256:81e2246d80e0bf0acbdf8d9c98b0385061a82c42bcf6251b2d20df799d8191c7
545
# -- optional map of annotations to be applied to the ui Deployment
546
deploymentAnnotations: {}
547
# -- optional map of annotations to be applied to the ui Pods
548
podAnnotations: {}
549
# -- Optional labels to add to the UI pods
550
podLabels: {}
551
# -- SecurityContext to set on the server pods
552
podSecurityContext: {}
553
rbac:
554
# -- Adds Role and RoleBinding for the server.
555
create: true
556
# -- Servers container-level security context
557
securityContext:
558
readOnlyRootFilesystem: false
559
runAsNonRoot: true
560
allowPrivilegeEscalation: false
561
capabilities:
562
drop:
563
- ALL
564
# -- Server name string
565
name: server
566
# -- Service type for server pods
567
serviceType: ClusterIP
568
# -- Service port for server
569
servicePort: 2746
570
# -- Service target port for server
571
serviceTargetPort: 2746
572
# -- Service node port
573
serviceNodePort: # 32746
574
# -- Service port name
575
servicePortName: "" # http
576
# -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
577
hostAliases: []
578
# - ip: 10.20.30.40
579
# hostnames:
580
# - git.myhostname
581
582
serviceAccount:
583
# -- Create a service account for the server
584
create: true
585
# -- Service account name
586
name: ""
587
# -- Labels applied to created service account
588
labels: {}
589
# -- Annotations applied to created service account
590
annotations: {}
591
# -- Annotations to be applied to the UI Service
592
serviceAnnotations: {}
593
# -- Optional labels to add to the UI Service
594
serviceLabels: {}
595
# -- The class of the load balancer implementation
596
loadBalancerClass: ""
597
# -- Static IP address to assign to loadBalancer service type `LoadBalancer`
598
loadBalancerIP: ""
599
# -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
600
loadBalancerSourceRanges: []
601
# -- Resource limits and requests for the server
602
resources: {}
603
# -- The number of server pods to run
604
replicas: 1
605
# -- The number of revisions to keep.
606
revisionHistoryLimit: 10
607
## Argo Server Horizontal Pod Autoscaler
608
autoscaling:
609
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server
610
enabled: false
611
# -- Minimum number of replicas for the Argo Server [HPA]
612
minReplicas: 1
613
# -- Maximum number of replicas for the Argo Server [HPA]
614
maxReplicas: 5
615
# -- Average CPU utilization percentage for the Argo Server [HPA]
616
targetCPUUtilizationPercentage: 50
617
# -- Average memory utilization percentage for the Argo Server [HPA]
618
targetMemoryUtilizationPercentage: 50
619
# -- Configures the scaling behavior of the target in both Up and Down directions.
620
# This is only available on HPA apiVersion `autoscaling/v2beta2` and newer
621
behavior: {}
622
# scaleDown:
623
# stabilizationWindowSeconds: 300
624
# policies:
625
# - type: Pods
626
# value: 1
627
# periodSeconds: 180
628
# scaleUp:
629
# stabilizationWindowSeconds: 300
630
# policies:
631
# - type: Pods
632
# value: 2
633
pdb:
634
# -- Configure [Pod Disruption Budget] for the server pods
635
enabled: false
636
# minAvailable: 1
637
# maxUnavailable: 1
638
# -- [Node selector]
639
nodeSelector:
640
kubernetes.io/os: linux
641
# -- [Tolerations] for use with node taints
642
tolerations: []
643
# -- Assign custom [affinity] rules
644
affinity: {}
645
# -- Assign custom [TopologySpreadConstraints] rules to the argo server
646
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
647
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
648
topologySpreadConstraints: []
649
# - maxSkew: 1
650
# topologyKey: topology.kubernetes.io/zone
651
# whenUnsatisfiable: DoNotSchedule
652
653
# -- Leverage a PriorityClass to ensure your pods survive resource shortages
654
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
655
priorityClassName: ""
656
# -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs.
657
## See the following documentation for more details on secure mode:
658
## https://argo-workflows.readthedocs.io/en/stable/tls/
659
secure: false
660
# -- Extra environment variables to provide to the argo-server container
661
extraEnv: []
662
# - name: FOO
663
# value: "bar"
664
665
# -- Deprecated; use server.authModes instead.
666
authMode: ""
667
# -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
668
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
669
authModes: []
670
# -- Extra arguments to provide to the Argo server binary.
671
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server/#options
672
extraArgs: []
673
logging:
674
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
675
level: info
676
# -- Set the glog logging level
677
globallevel: "0"
678
# -- Set the logging format (one of: `text`, `json`)
679
format: "text"
680
# -- Volume to be mounted in Pods for temporary files.
681
tmpVolume:
682
emptyDir: {}
683
# -- Additional volume mounts to the server main container.
684
volumeMounts: []
685
# -- Additional volumes to the server pod.
686
volumes: []
687
## Ingress configuration.
688
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
689
ingress:
690
# -- Enable an ingress resource
691
enabled: false
692
# -- Additional ingress annotations
693
annotations: {}
694
# -- Additional ingress labels
695
labels: {}
696
# -- Defines which ingress controller will implement the resource
697
ingressClassName: ""
698
# -- List of ingress hosts
699
## Hostnames must be provided if Ingress is enabled.
700
## Secrets must be manually created in the namespace
701
hosts: []
702
# - argoworkflows.example.com
703
704
# -- List of ingress paths
705
paths:
706
- /
707
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
708
pathType: Prefix
709
# -- Additional ingress paths
710
extraPaths: []
711
# - path: /*
712
# backend:
713
# serviceName: ssl-redirect
714
# servicePort: use-annotation
715
## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
716
# - path: /*
717
# pathType: Prefix
718
# backend:
719
# service
720
# name: ssl-redirect
721
# port:
722
# name: use-annotation
723
724
# -- Ingress TLS configuration
725
tls: []
726
# - secretName: argoworkflows-example-tls
727
# hosts:
728
# - argoworkflows.example.com
729
## Create a Google Backendconfig for use with the GKE Ingress Controller
730
## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
731
GKEbackendConfig:
732
# -- Enable BackendConfig custom resource for Google Kubernetes Engine
733
enabled: false
734
# -- [BackendConfigSpec]
735
spec: {}
736
# spec:
737
# iap:
738
# enabled: true
739
# oauthclientCredentials:
740
# secretName: argoworkflows-secret
741
742
## Create a Google Managed Certificate for use with the GKE Ingress Controller
743
## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
744
GKEmanagedCertificate:
745
# -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
746
enabled: false
747
# -- Domains for the Google Managed Certificate
748
domains:
749
- argoworkflows.example.com
750
## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
751
## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
752
GKEfrontendConfig:
753
# -- Enable FrontConfig custom resource for Google Kubernetes Engine
754
enabled: false
755
# -- [FrontendConfigSpec]
756
spec: {}
757
# spec:
758
# redirectToHttps:
759
# enabled: true
760
# responseCodeName: RESPONSE_CODE
761
762
# Gateway API HTTPRoute configuration
763
# NOTE: Gateway API support is in EXPERIMENTAL status
764
# Support depends on your Gateway controller implementation
765
# Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
766
# Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
767
httproute:
768
# -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
769
enabled: false
770
# -- Additional HTTPRoute labels
771
labels: {}
772
# -- Additional HTTPRoute annotations
773
annotations: {}
774
# -- Gateway API parentRefs for the HTTPRoute
775
## Must reference an existing Gateway
776
# @default -- `[]` (See [values.yaml])
777
parentRefs: []
778
# - name: example-gateway
779
# namespace: example-gateway-namespace
780
# sectionName: https
781
# -- List of hostnames for the HTTPRoute
782
# @default -- `[]` (See [values.yaml])
783
hostnames: []
784
# - argoworkflows.example.com
785
# -- HTTPRoute rules configuration
786
# @default -- `[]` (See [values.yaml])
787
rules:
788
- matches:
789
- path:
790
type: PathPrefix
791
value: /
792
# filters: []
793
# - type: RequestHeaderModifier
794
# requestHeaderModifier:
795
# add:
796
# - name: X-Custom-Header
797
# value: custom-value
798
# timeouts:
799
# request: 10s
800
# backendRequest: 2s
801
# Gateway API BackendTLSPolicy configuration
802
# NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
803
# Required for HTTPS backends when using Gateway API
804
# Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
805
backendTLSPolicy:
806
# -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
807
enabled: false
808
# -- Additional BackendTLSPolicy labels
809
labels: {}
810
# -- Additional BackendTLSPolicy annotations
811
annotations: {}
812
# -- Target references for the BackendTLSPolicy
813
# @default -- `[]` (See [values.yaml])
814
targetRefs: []
815
# - group: ""
816
# kind: Service
817
# name: argo-workflows-server
818
# sectionName: https
819
# -- TLS validation configuration
820
# @default -- `{}` (See [values.yaml])
821
validation: {}
822
# hostname: argo-workflows-server.argo.svc.cluster.local
823
# caCertificateRefs:
824
# - name: example-ca-cert
825
# group: ""
826
# kind: ConfigMap
827
# wellKnownCACertificates: System
828
clusterWorkflowTemplates:
829
# -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
830
enabled: true
831
# -- Give the server permissions to edit ClusterWorkflowTemplates.
832
enableEditing: true
833
# SSO configuration when SSO is specified as a server auth mode.
834
sso:
835
# -- Create SSO configuration. If you set `true` , please also set `.Values.server.authModes` as `sso`.
836
enabled: false
837
# -- The root URL of the OIDC identity provider
838
issuer: https://accounts.google.com
839
clientId:
840
# -- Name of secret to retrieve the app OIDC client ID
841
name: argo-server-sso
842
# -- Key of secret to retrieve the app OIDC client ID
843
key: client-id
844
clientSecret:
845
# -- Name of a secret to retrieve the app OIDC client secret
846
name: argo-server-sso
847
# -- Key of a secret to retrieve the app OIDC client secret
848
key: client-secret
849
# -- The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
850
redirectUrl: ""
851
rbac:
852
# -- Adds ServiceAccount Policy to server (Cluster)Role.
853
enabled: true
854
# -- Whitelist to allow server to fetch Secrets
855
## When present, restricts secrets the server can read to a given list.
856
## You can use it to restrict the server to only be able to access the
857
## service account token secrets that are associated with service accounts
858
## used for authorization.
859
secretWhitelist: []
860
# -- Scopes requested from the SSO ID provider
861
## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
862
scopes: []
863
# - groups
864
# -- Define how long your login is valid for (in hours)
865
## If omitted, defaults to 10h.
866
sessionExpiry: ""
867
# -- Alternate root URLs that can be included for some OIDC providers
868
issuerAlias: ""
869
# -- Override claim name for OIDC groups
870
customGroupClaimName: ""
871
# -- Specify the user info endpoint that contains the groups claim
872
## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
873
userInfoPath: ""
874
# -- Skip TLS verification for the HTTP client
875
insecureSkipVerify: false
876
# -- Filter the groups returned by the OIDC provider
877
## A logical "OR" is used between each regex in the list
878
filterGroupsRegex: []
879
# - ".*argo-wf.*"
880
# - ".*argo-workflow.*"
881
# -- Extra containers to be added to the server deployment
882
extraContainers: []
883
# -- Enables init containers to be added to the server deployment
884
extraInitContainers: []
885
# -- Specify postStart and preStop lifecycle hooks for server container
886
lifecycle: {}
887
# -- terminationGracePeriodSeconds for container lifecycle hook
888
terminationGracePeriodSeconds: 30
889
## livenessProbe for server
890
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
891
livenessProbe:
892
# -- Enable Kubernetes liveness probe for server
893
enabled: false
894
httpGet:
895
# -- Http port to use for the liveness probe
896
port: 2746
897
# -- Http path to use for the liveness probe
898
path: /
899
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
900
failureThreshold: 3
901
# -- Number of seconds after the container has started before [probe] is initiated
902
initialDelaySeconds: 10
903
# -- How often (in seconds) to perform the [probe]
904
periodSeconds: 10
905
# -- Number of seconds after which the [probe] times out
906
timeoutSeconds: 1
907
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
908
successThreshold: 1
909
# -- Array of extra K8s manifests to deploy
910
extraObjects: []
911
# - apiVersion: secrets-store.csi.x-k8s.io/v1
912
# kind: SecretProviderClass
913
# metadata:
914
# name: argo-server-sso
915
# spec:
916
# provider: aws
917
# parameters:
918
# objects: |
919
# - objectName: "argo/server/sso"
920
# objectType: "secretsmanager"
921
# jmesPath:
922
# - path: "client_id"
923
# objectAlias: "client_id"
924
# - path: "client_secret"
925
# objectAlias: "client_secret"
926
# secretObjects:
927
# - data:
928
# - key: client_id
929
# objectName: client_id
930
# - key: client_secret
931
# objectName: client_secret
932
# secretName: argo-server-sso-secrets-store
933
# type: Opaque
934
935
# -- Use static credentials for S3 (eg. when not using AWS IRSA)
936
useStaticCredentials: true
937
artifactRepository:
938
# -- Archive the main container logs as an artifact
939
archiveLogs: false
940
# -- Store artifact in a S3-compliant object store
941
# @default -- See [values.yaml]
942
s3: {}
943
# # Note the `key` attribute is not the actual secret, it's the PATH to
944
# # the contents in the associated secret, as defined by the `name` attribute.
945
# accessKeySecret:
946
# name: "{{ .Release.Name }}-minio"
947
# key: accesskey
948
# secretKeySecret:
949
# name: "{{ .Release.Name }}-minio"
950
# key: secretkey
951
# sessionTokenSecret:
952
# name: "{{ .Release.Name }}-minio"
953
# key: sessionToken
954
# # insecure will disable TLS. Primarily used for minio installs not configured with TLS
955
# insecure: false
956
# caSecret:
957
# name: ca-root
958
# key: cert.pem
959
# bucket:
960
# endpoint:
961
# region:
962
# roleARN:
963
# useSDKCreds: true
964
# encryptionOptions:
965
# enableEncryption: true
966
# -- Store artifact in a GCS object store
967
# @default -- `{}` (See [values.yaml])
968
gcs: {}
969
# bucket: <project>-argo
970
# keyFormat: "{{ \"{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}\" }}"
971
# # serviceAccountKeySecret is a secret selector.
972
# # It references the k8s secret named 'my-gcs-credentials'.
973
# # This secret is expected to have the key 'serviceAccountKey',
974
# # containing the base64 encoded credentials
975
# # to the bucket.
976
# #
977
# # If it's running on GKE and Workload Identity is used,
978
# # serviceAccountKeySecret is not needed.
979
# serviceAccountKeySecret:
980
# name: my-gcs-credentials
981
# key: serviceAccountKey
982
# -- Store artifact in Azure Blob Storage
983
# @default -- `{}` (See [values.yaml])
984
azure: {}
985
# endpoint: https://mystorageaccountname.blob.core.windows.net
986
# container: my-container-name
987
# blobNameFormat: path/in/container
988
# # accountKeySecret is a secret selector.
989
# # It references the k8s secret named 'my-azure-storage-credentials'.
990
# # This secret is expected to have the key 'account-access-key',
991
# # containing the base64 encoded credentials to the storage account.
992
# # If a managed identity has been assigned to the machines running the
993
# # workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity)
994
# # then accountKeySecret is not needed, and useSDKCreds should be
995
# # set to true instead:
996
# useSDKCreds: true
997
# accountKeySecret:
998
# name: my-azure-storage-credentials
999
# key: account-access-key
1000
# -- The section of custom artifact repository.
1001
# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure)
1002
customArtifactRepository: {}
1003
# artifactory:
1004
# repoUrl: https://artifactory.example.com/raw
1005
# usernameSecret:
1006
# name: artifactory-creds
1007
# key: username
1008
# passwordSecret:
1009
# name: artifactory-creds
1010
# key: password
1011
1012
# -- The section of [artifact repository ref](https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/).
1013
# Each map key is the name of configmap
1014
# @default -- `{}` (See [values.yaml])
1015
artifactRepositoryRef: {}
1016
# # -- 1st ConfigMap
1017
# # If you want to use this config map by default, name it "artifact-repositories".
1018
# # Otherwise, you can provide a reference to a
1019
# # different config map in `artifactRepositoryRef.configMap`.
1020
# artifact-repositories:
1021
# # -- v3.0 and after - if you want to use a specific key, put that key into this annotation.
1022
# annotations:
1023
# workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
1024
# # 1st data of configmap. See above artifactRepository or customArtifactRepository.
1025
# default-v1-s3-artifact-repository:
1026
# archiveLogs: false
1027
# s3:
1028
# bucket: my-bucket
1029
# endpoint: minio:9000
1030
# insecure: true
1031
# accessKeySecret:
1032
# name: my-minio-cred
1033
# key: accesskey
1034
# secretKeySecret:
1035
# name: my-minio-cred
1036
# key: secretkey
1037
# # 2nd data
1038
# oss-artifact-repository:
1039
# archiveLogs: false
1040
# oss:
1041
# endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
1042
# bucket: $mybucket
1043
# # accessKeySecret and secretKeySecret are secret selectors.
1044
# # It references the k8s secret named 'bucket-workflow-artifect-credentials'.
1045
# # This secret is expected to have the keys 'accessKey'
1046
# # and 'secretKey', containing the base64 encoded credentials
1047
# # to the bucket.
1048
# accessKeySecret:
1049
# name: $mybucket-credentials
1050
# key: accessKey
1051
# secretKeySecret:
1052
# name: $mybucket-credentials
1053
# key: secretKey
1054
# # 2nd ConfigMap
1055
# another-artifact-repositories:
1056
# annotations:
1057
# workflows.argoproj.io/default-artifact-repository: gcs
1058
# gcs:
1059
# bucket: my-bucket
1060
# keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
1061
# serviceAccountKeySecret:
1062
# name: my-gcs-credentials
1063
# key: serviceAccountKey
1064
1065
emissary:
1066
# -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.
1067
## See more: https://argo-workflows.readthedocs.io/en/stable/workflow-executors/#emissary-emissary
1068
images: []
1069
# argoproj/argosay:v2:
1070
# cmd: [/argosay]
1071
# docker/whalesay:latest:
1072
# cmd: [/bin/bash]
1073

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.