2 # -- Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`.
4 # -- imagePullPolicy to apply to all containers
6 # -- Secrets with credentials to pull images from a private registry
8 # - name: argo-pull-secret
9## Custom resource configuration
11 # -- Install and upgrade CRDs
13 # -- Keep CRDs on chart uninstall
15 # -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
16 # Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
18 # -- Annotations to be added to all CRDs (only applies when crds.full=false)
20 # Configuration for the CRD install Job (only used when crds.full=true)
22 # -- Image for the kubectl container that applies CRDs
24 # -- Repository for the kubectl image
25 repository: cgr.dev/chainguard-private/kubectl
26 # -- Tag for the kubectl image
27 tag: latest@sha256:31b8e0d54fe3d9eef194cb082bbfc82e5595c428479ed68609cb38b46469605a
28 # -- Override base URL to download full CRD YAML files from. Defaults to this chart's release tag on GitHub. Ignored if hostPath is set.
30 # -- Host path to mount CRD files from (for local/CI testing). When set, CRDs are applied from this path instead of downloading.
32 # -- Resources for the CRD install Job containers
34 # -- Node selector for the CRD install Job
36 # -- Pod security context for the CRD install Job pod
37 podSecurityContext: {}
38 # -- Tolerations for the CRD install Job
40 # -- Image pull secrets for the CRD install Job
42 # -- Security context for the CRD install Job container
44 readOnlyRootFilesystem: true
46 allowPrivilegeEscalation: false
54 # -- Extra environment variables to provide to the CRD install Job container
57 # value: "http://proxy.example.com:8080"
59 # value: "http://proxy.example.com:8080"
61 # value: "localhost,127.0.0.1,10.96.0.0/12,192.168.0.0/16"
62# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
63## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
64createAggregateRoles: true
65# -- String to partially override "argo-workflows.fullname" template
67# -- String to fully override "argo-workflows.fullname" template
69# -- Override the namespace
70# @default -- `.Release.Namespace`
72# -- Labels to set on all resources
74# -- Override the Kubernetes version, which is used to evaluate certain manifests
75kubeVersionOverride: ""
78 # -- String to override apiVersion of autoscaling rendered by this helm chart
79 autoscaling: "" # autoscaling/v2
80 # -- String to override apiVersion of GKE resources rendered by this helm chart
81 cloudgoogle: "" # cloud.google.com/v1
82 # -- String to override apiVersion of monitoring CRDs (ServiceMonitor) rendered by this helm chart
83 monitoring: "" # monitoring.coreos.com/v1
84# -- Restrict Argo to operate only in a single namespace (the namespace of the
85# Helm release) by apply Roles and RoleBindings instead of the Cluster
86# equivalents, and start workflow-controller with the --namespaced flag. Use it
87# in clusters with strict access policy.
90 # -- Deprecated; use controller.workflowNamespaces instead.
93 # -- Specifies whether a service account should be created
95 # -- Specifies whether a secret for each service account should be created
97 # -- Labels applied to created service account
99 # -- Annotations applied to created service account
101 # -- Service account which is used to run workflows
102 name: "argo-workflow"
103 # -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
106 # -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
107 # A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
109 # -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
110 agentPermissions: false
111 # -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
113 # -- Extra service accounts to be added to the RoleBinding
115 # - name: my-service-account
116 # namespace: my-namespace
117 # -- Additional rules for the service account that runs the workflows.
121 # -- Registry to use for the controller
123 # -- Registry to use for the controller
124 repository: chainguard-private/argo-workflowcontroller
125 # -- Image tag for the workflow controller. Defaults to `.Values.images.tag`.
126 tag: latest@sha256:726a165ebadfed320a22b96a066b69a556cdf02978a25aab6270f5e5799f8ff1
127 # -- parallelism dictates how many workflows can be running at the same time
129 # -- Globally limits the rate at which pods are created.
130 # This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of
132 resourceRateLimit: {}
137 # -- Adds Role and RoleBinding for the controller.
139 # -- Allows controller to get, list, and watch certain k8s secrets
141 # -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
142 accessAllSecrets: false
143 # -- Allows controller to create and update ConfigMaps. Enables memoization feature
144 writeConfigMaps: false
146 # -- Create a ConfigMap for the controller
150 # -- ConfigMap annotations
152 # -- Limits the maximum number of incomplete workflows in a namespace
153 namespaceParallelism:
154 # -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224
156 # -- deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment
157 deploymentAnnotations: {}
158 # -- podAnnotations is an optional map of annotations to be applied to the controller Pods
160 # -- Optional labels to add to the controller pods
162 # -- SecurityContext to set on the controller pods
163 podSecurityContext: {}
166 # -- Enables prometheus metrics server
168 # -- Path is the path where metrics are emitted. Must start with a "/".
170 # -- Frequency at which prometheus scrapes metrics
172 # -- Port is the port where metrics are emitted
174 # -- How often custom metrics are cleared from memory
176 # -- Flag that instructs prometheus to ignore metric emission errors.
178 # -- Flag that use a self-signed cert for TLS
180 # -- Container metrics port name
182 # -- Service metrics port
184 # -- Service metrics port name
185 servicePortName: metrics
186 # -- serviceMonitor scheme
188 # -- Flag to enable headless service
189 headlessService: false
190 # -- When true, honorLabels preserves the metric’s labels when they collide with the target’s labels.
191 ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#honorlabels
193 # -- ServiceMonitor relabel configs to apply to samples before scraping
194 ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
196 # -- ServiceMonitor metric relabel configs to apply to samples before ingestion
197 ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint
198 metricRelabelings: []
199 # -- ServiceMonitor will add labels from the service to the Prometheus metric
200 ## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec
202 # -- Manipulate the metrics created by the workflow controller
203 ## Ref: https://argo-workflows.readthedocs.io/en/latest/metrics/#modifiers
205 # -- the controller container's securityContext
207 readOnlyRootFilesystem: true
209 allowPrivilegeEscalation: false
213 # -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
214 ## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
219 # # save the entire workflow into etcd and DB
220 # nodeStatusOffLoad: false
221 # # enable archiving of old workflows
227 # tableName: argo_workflows
228 # # the database secrets must be in the same namespace of the controller
230 # name: argo-postgres-config
233 # name: argo-postgres-config
236 # # sslMode must be one of: disable, require, verify-ca, verify-full
237 # # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
243 # tableName: argo_workflows
245 # name: argo-mysql-config
248 # name: argo-mysql-config
251 # -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
252 # Only valid for 2.7+
253 ## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
257 # secondsAfterCompletion: 86400
258 # # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
259 # artifactRepositoryRef:
260 # configMap: my-artifact-repository # default is "artifact-repositories"
261 # key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
263 # -- Number of workflow workers
264 workflowWorkers: # 32
265 # -- Number of workflow TTL workers
266 workflowTTLWorkers: # 4
267 # -- Number of pod cleanup workers
268 podCleanupWorkers: # 4
269 # -- Number of cron workflow workers
270 # Only valid for 3.5+
271 cronWorkflowWorkers: # 8
272 # -- Restricts the Workflows that the controller will process.
273 # Only valid for 2.9+
274 workflowRestrictions: {}
275 # templateReferencing: Strict|Secure
277 # telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint
278 # as metrics by default, but can be overridden using this config.
280 # -- Enables prometheus telemetry server
284 # -- Frequency at which prometheus scrapes telemetry data
286 # -- telemetry container port
288 # -- How often custom metrics are cleared from memory
290 # -- Flag that instructs prometheus to ignore metric emission errors.
292 # -- Flag that use a self-signed cert for TLS
294 # -- telemetry service port
296 # -- telemetry service port name
297 servicePortName: telemetry
298 # -- telemetry serviceMonitor scheme to use
301 # -- Enable a prometheus ServiceMonitor
303 # -- Prometheus ServiceMonitor labels
305 # -- Prometheus ServiceMonitor namespace
306 namespace: "" # "monitoring"
308 # -- Create a service account for the controller
310 # -- Service account name
312 # -- Labels applied to created service account
314 # -- Annotations applied to created service account
316 # -- Workflow controller name string
317 name: workflow-controller
318 # -- Specify all namespaces where this workflow controller instance will manage
319 # workflows. This controls where the service account and RBAC resources will
320 # be created. Only valid when singleNamespace is false.
324 # -- Configures the controller to filter workflow submissions
325 # to only those which have a matching instanceID attribute.
326 ## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
327 ## or `instanceID.explicitID` must be defined.
329 # -- Use ReleaseName as instanceID
330 useReleaseName: false
331 # useReleaseName: true
333 # -- Use a custom instanceID
335 # explicitID: unique-argo-controller-identifier
337 # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
339 # -- Set the glog logging level
341 # -- Set the logging format (one of: `text`, `json`)
343 # -- Service type of the controller Service
344 serviceType: ClusterIP
345 # -- Annotations to be applied to the controller Service
346 serviceAnnotations: {}
347 # -- Optional labels to add to the controller Service
349 # -- The class of the load balancer implementation
350 loadBalancerClass: ""
351 # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
352 loadBalancerSourceRanges: []
353 # -- Resource limits and requests for the controller
355 # -- Configure liveness [probe] for the controller
356 # @default -- See [values.yaml]
362 initialDelaySeconds: 90
365 # -- Extra environment variables to provide to the controller container
370 # -- Extra arguments to be added to the controller
372 # -- Additional volume mounts to the controller main container
374 # -- Additional volumes to the controller pod
376 # -- The number of controller pods to run
378 # -- The number of revisions to keep.
379 revisionHistoryLimit: 10
381 # -- Configure [Pod Disruption Budget] for the controller pods
387 kubernetes.io/os: linux
388 # -- [Tolerations] for use with node taints
390 # -- Assign custom [affinity] rules
392 # -- Assign custom [TopologySpreadConstraints] rules to the workflow controller
393 ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
394 ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
395 topologySpreadConstraints: []
397 # topologyKey: topology.kubernetes.io/zone
398 # whenUnsatisfiable: DoNotSchedule
400 # -- Leverage a PriorityClass to ensure your pods survive resource shortages.
401 ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
402 priorityClassName: ""
403 # -- Configure Argo Server to show custom [links]
404 ## Ref: https://argo-workflows.readthedocs.io/en/stable/links/
406 # -- Configure Argo Server to show custom [columns]
407 ## Ref: https://github.com/argoproj/argo-workflows/pull/10693
409 # -- Set ui navigation bar background color
411 clusterWorkflowTemplates:
412 # -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
414 # -- Extra service accounts to be added to the ClusterRoleBinding
416 # - name: my-service-account
417 # namespace: my-namespace
418 # -- Extra containers to be added to the controller deployment
420 # -- Enables init containers to be added to the controller deployment
421 extraInitContainers: []
422 # -- Workflow retention by number of workflows
429 # -- Enable to emit events on node completion.
430 ## This can take up a lot of space in k8s (typically etcd) resulting in errors when trying to create new events:
431 ## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
434 # -- Enable to emit events on workflow status changes.
435 ## This can take up a lot of space in k8s (typically etcd), resulting in errors when trying to create new events:
436 ## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
438 # -- Configure when workflow controller runs in a different k8s cluster with the workflow workloads,
439 # or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret.
440 # @default -- `{}` (See [values.yaml])
442 # # name of the kubeconfig secret, may not be empty when kubeConfig specified
443 # secretName: kubeconfig-secret
444 # # key of the kubeconfig secret, may not be empty when kubeConfig specified
445 # secretKey: kubeconfig
446 # # mounting path of the kubeconfig secret, default to /kube/config
447 # mountPath: /kubeconfig/mount/path
448 # # volume name when mounting the secret, default to kubeconfig
449 # volumeName: kube-config-volume
451 # -- Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately.
452 # @default -- `30` seconds (Kubernetes default)
453 podGCGracePeriodSeconds:
454 # -- The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately.
455 # @default -- `5s` (Argo Workflows default)
456 podGCDeleteDelayDuration: ""
457 # -- enable Synchronization to use a database. Postgres and MySQL (>= 5.7.8) are available.
458 ## Ref: https://argo-workflows.readthedocs.io/en/latest/workflow-controller-configmap/#syncconfig
460 # controllerName: argo-workflows
468 # tableName: argo_workflows
469 # # the database secrets must be in the same namespace of the controller
471 # name: argo-postgres-config
474 # name: argo-postgres-config
477 # # sslMode must be one of: disable, require, verify-ca, verify-full
478 # # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
484 # tableName: argo_workflows
486 # name: argo-mysql-config
489 # name: argo-mysql-config
493 # -- Enable to restart of pods that fail before entering Running state.
494 ## This is useful for recovering from transient infrastructure issues like node eviction due to DiskPressure or MemoryPressure without requiring a retryStrategy on every template.
495 ## ref: https://argo-workflows.readthedocs.io/en/latest/pod-restarts/
497 # -- Maximum number of automatic restarts per node before giving up.
499# mainContainer adds default config for main container that could be overriden in workflows template
501 # -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`.
503 # -- Resource limits and requests for the Workflow main container
505 # -- Adds environment variables for the Workflow main container
507 # -- Adds reference environment variables for the Workflow main container
509 # -- sets security context for the Workflow main container
511# executor controls how the init and wait container should be customized
514 # -- Registry to use for the Workflow Executors
516 # -- Repository to use for the Workflow Executors
517 repository: chainguard-private/argo-exec
518 # -- Image tag for the workflow executor. Defaults to `.Values.images.tag`.
519 tag: latest@sha256:c932e2e04d37559f36831be1a5b1724abe9db541fd015df9358419e8eb10b5f5
520 # -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`.
522 # -- Resource limits and requests for the Workflow Executors
524 # -- Passes arguments to the executor processes
526 # -- Adds environment variables for the executor.
528 # -- sets security context for the executor container
531 # -- Deploy the Argo Server
533 # -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
534 ## only updates base url of resources on client side,
535 ## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
536 ## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
539 # -- Registry to use for the server
541 # -- Repository to use for the server
542 repository: chainguard-private/argo-cli
543 # -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
544 tag: latest@sha256:81e2246d80e0bf0acbdf8d9c98b0385061a82c42bcf6251b2d20df799d8191c7
545 # -- optional map of annotations to be applied to the ui Deployment
546 deploymentAnnotations: {}
547 # -- optional map of annotations to be applied to the ui Pods
549 # -- Optional labels to add to the UI pods
551 # -- SecurityContext to set on the server pods
552 podSecurityContext: {}
554 # -- Adds Role and RoleBinding for the server.
556 # -- Servers container-level security context
558 readOnlyRootFilesystem: false
560 allowPrivilegeEscalation: false
564 # -- Server name string
566 # -- Service type for server pods
567 serviceType: ClusterIP
568 # -- Service port for server
570 # -- Service target port for server
571 serviceTargetPort: 2746
572 # -- Service node port
573 serviceNodePort: # 32746
574 # -- Service port name
575 servicePortName: "" # http
576 # -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
583 # -- Create a service account for the server
585 # -- Service account name
587 # -- Labels applied to created service account
589 # -- Annotations applied to created service account
591 # -- Annotations to be applied to the UI Service
592 serviceAnnotations: {}
593 # -- Optional labels to add to the UI Service
595 # -- The class of the load balancer implementation
596 loadBalancerClass: ""
597 # -- Static IP address to assign to loadBalancer service type `LoadBalancer`
599 # -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
600 loadBalancerSourceRanges: []
601 # -- Resource limits and requests for the server
603 # -- The number of server pods to run
605 # -- The number of revisions to keep.
606 revisionHistoryLimit: 10
607 ## Argo Server Horizontal Pod Autoscaler
609 # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server
611 # -- Minimum number of replicas for the Argo Server [HPA]
613 # -- Maximum number of replicas for the Argo Server [HPA]
615 # -- Average CPU utilization percentage for the Argo Server [HPA]
616 targetCPUUtilizationPercentage: 50
617 # -- Average memory utilization percentage for the Argo Server [HPA]
618 targetMemoryUtilizationPercentage: 50
619 # -- Configures the scaling behavior of the target in both Up and Down directions.
620 # This is only available on HPA apiVersion `autoscaling/v2beta2` and newer
623 # stabilizationWindowSeconds: 300
629 # stabilizationWindowSeconds: 300
634 # -- Configure [Pod Disruption Budget] for the server pods
640 kubernetes.io/os: linux
641 # -- [Tolerations] for use with node taints
643 # -- Assign custom [affinity] rules
645 # -- Assign custom [TopologySpreadConstraints] rules to the argo server
646 ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
647 ## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
648 topologySpreadConstraints: []
650 # topologyKey: topology.kubernetes.io/zone
651 # whenUnsatisfiable: DoNotSchedule
653 # -- Leverage a PriorityClass to ensure your pods survive resource shortages
654 ## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
655 priorityClassName: ""
656 # -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs.
657 ## See the following documentation for more details on secure mode:
658 ## https://argo-workflows.readthedocs.io/en/stable/tls/
660 # -- Extra environment variables to provide to the argo-server container
665 # -- Deprecated; use server.authModes instead.
667 # -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
668 ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
670 # -- Extra arguments to provide to the Argo server binary.
671 ## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server/#options
674 # -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
676 # -- Set the glog logging level
678 # -- Set the logging format (one of: `text`, `json`)
680 # -- Volume to be mounted in Pods for temporary files.
683 # -- Additional volume mounts to the server main container.
685 # -- Additional volumes to the server pod.
687 ## Ingress configuration.
688 # ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
690 # -- Enable an ingress resource
692 # -- Additional ingress annotations
694 # -- Additional ingress labels
696 # -- Defines which ingress controller will implement the resource
698 # -- List of ingress hosts
699 ## Hostnames must be provided if Ingress is enabled.
700 ## Secrets must be manually created in the namespace
702 # - argoworkflows.example.com
704 # -- List of ingress paths
707 # -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
709 # -- Additional ingress paths
713 # serviceName: ssl-redirect
714 # servicePort: use-annotation
715 ## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
722 # name: use-annotation
724 # -- Ingress TLS configuration
726 # - secretName: argoworkflows-example-tls
728 # - argoworkflows.example.com
729 ## Create a Google Backendconfig for use with the GKE Ingress Controller
730 ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
732 # -- Enable BackendConfig custom resource for Google Kubernetes Engine
734 # -- [BackendConfigSpec]
739 # oauthclientCredentials:
740 # secretName: argoworkflows-secret
742 ## Create a Google Managed Certificate for use with the GKE Ingress Controller
743 ## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
744 GKEmanagedCertificate:
745 # -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
747 # -- Domains for the Google Managed Certificate
749 - argoworkflows.example.com
750 ## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
751 ## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
753 # -- Enable FrontConfig custom resource for Google Kubernetes Engine
755 # -- [FrontendConfigSpec]
760 # responseCodeName: RESPONSE_CODE
762 # Gateway API HTTPRoute configuration
763 # NOTE: Gateway API support is in EXPERIMENTAL status
764 # Support depends on your Gateway controller implementation
765 # Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
766 # Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
768 # -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
770 # -- Additional HTTPRoute labels
772 # -- Additional HTTPRoute annotations
774 # -- Gateway API parentRefs for the HTTPRoute
775 ## Must reference an existing Gateway
776 # @default -- `[]` (See [values.yaml])
778 # - name: example-gateway
779 # namespace: example-gateway-namespace
781 # -- List of hostnames for the HTTPRoute
782 # @default -- `[]` (See [values.yaml])
784 # - argoworkflows.example.com
785 # -- HTTPRoute rules configuration
786 # @default -- `[]` (See [values.yaml])
793 # - type: RequestHeaderModifier
794 # requestHeaderModifier:
796 # - name: X-Custom-Header
797 # value: custom-value
801 # Gateway API BackendTLSPolicy configuration
802 # NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
803 # Required for HTTPS backends when using Gateway API
804 # Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
806 # -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
808 # -- Additional BackendTLSPolicy labels
810 # -- Additional BackendTLSPolicy annotations
812 # -- Target references for the BackendTLSPolicy
813 # @default -- `[]` (See [values.yaml])
817 # name: argo-workflows-server
819 # -- TLS validation configuration
820 # @default -- `{}` (See [values.yaml])
822 # hostname: argo-workflows-server.argo.svc.cluster.local
824 # - name: example-ca-cert
827 # wellKnownCACertificates: System
828 clusterWorkflowTemplates:
829 # -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
831 # -- Give the server permissions to edit ClusterWorkflowTemplates.
833 # SSO configuration when SSO is specified as a server auth mode.
835 # -- Create SSO configuration. If you set `true` , please also set `.Values.server.authModes` as `sso`.
837 # -- The root URL of the OIDC identity provider
838 issuer: https://accounts.google.com
840 # -- Name of secret to retrieve the app OIDC client ID
841 name: argo-server-sso
842 # -- Key of secret to retrieve the app OIDC client ID
845 # -- Name of a secret to retrieve the app OIDC client secret
846 name: argo-server-sso
847 # -- Key of a secret to retrieve the app OIDC client secret
849 # -- The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
852 # -- Adds ServiceAccount Policy to server (Cluster)Role.
854 # -- Whitelist to allow server to fetch Secrets
855 ## When present, restricts secrets the server can read to a given list.
856 ## You can use it to restrict the server to only be able to access the
857 ## service account token secrets that are associated with service accounts
858 ## used for authorization.
860 # -- Scopes requested from the SSO ID provider
861 ## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
864 # -- Define how long your login is valid for (in hours)
865 ## If omitted, defaults to 10h.
867 # -- Alternate root URLs that can be included for some OIDC providers
869 # -- Override claim name for OIDC groups
870 customGroupClaimName: ""
871 # -- Specify the user info endpoint that contains the groups claim
872 ## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
874 # -- Skip TLS verification for the HTTP client
875 insecureSkipVerify: false
876 # -- Filter the groups returned by the OIDC provider
877 ## A logical "OR" is used between each regex in the list
878 filterGroupsRegex: []
880 # - ".*argo-workflow.*"
881 # -- Extra containers to be added to the server deployment
883 # -- Enables init containers to be added to the server deployment
884 extraInitContainers: []
885 # -- Specify postStart and preStop lifecycle hooks for server container
887 # -- terminationGracePeriodSeconds for container lifecycle hook
888 terminationGracePeriodSeconds: 30
889 ## livenessProbe for server
890 ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
892 # -- Enable Kubernetes liveness probe for server
895 # -- Http port to use for the liveness probe
897 # -- Http path to use for the liveness probe
899 # -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
901 # -- Number of seconds after the container has started before [probe] is initiated
902 initialDelaySeconds: 10
903 # -- How often (in seconds) to perform the [probe]
905 # -- Number of seconds after which the [probe] times out
907 # -- Minimum consecutive successes for the [probe] to be considered successful after having failed
909# -- Array of extra K8s manifests to deploy
911# - apiVersion: secrets-store.csi.x-k8s.io/v1
912# kind: SecretProviderClass
914# name: argo-server-sso
919# - objectName: "argo/server/sso"
920# objectType: "secretsmanager"
923# objectAlias: "client_id"
924# - path: "client_secret"
925# objectAlias: "client_secret"
929# objectName: client_id
930# - key: client_secret
931# objectName: client_secret
932# secretName: argo-server-sso-secrets-store
935# -- Use static credentials for S3 (eg. when not using AWS IRSA)
936useStaticCredentials: true
938 # -- Archive the main container logs as an artifact
940 # -- Store artifact in a S3-compliant object store
941 # @default -- See [values.yaml]
943 # # Note the `key` attribute is not the actual secret, it's the PATH to
944 # # the contents in the associated secret, as defined by the `name` attribute.
946 # name: "{{ .Release.Name }}-minio"
949 # name: "{{ .Release.Name }}-minio"
951 # sessionTokenSecret:
952 # name: "{{ .Release.Name }}-minio"
954 # # insecure will disable TLS. Primarily used for minio installs not configured with TLS
965 # enableEncryption: true
966 # -- Store artifact in a GCS object store
967 # @default -- `{}` (See [values.yaml])
969 # bucket: <project>-argo
970 # keyFormat: "{{ \"{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}\" }}"
971 # # serviceAccountKeySecret is a secret selector.
972 # # It references the k8s secret named 'my-gcs-credentials'.
973 # # This secret is expected to have the key 'serviceAccountKey',
974 # # containing the base64 encoded credentials
977 # # If it's running on GKE and Workload Identity is used,
978 # # serviceAccountKeySecret is not needed.
979 # serviceAccountKeySecret:
980 # name: my-gcs-credentials
981 # key: serviceAccountKey
982 # -- Store artifact in Azure Blob Storage
983 # @default -- `{}` (See [values.yaml])
985 # endpoint: https://mystorageaccountname.blob.core.windows.net
986 # container: my-container-name
987 # blobNameFormat: path/in/container
988 # # accountKeySecret is a secret selector.
989 # # It references the k8s secret named 'my-azure-storage-credentials'.
990 # # This secret is expected to have the key 'account-access-key',
991 # # containing the base64 encoded credentials to the storage account.
992 # # If a managed identity has been assigned to the machines running the
993 # # workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity)
994 # # then accountKeySecret is not needed, and useSDKCreds should be
995 # # set to true instead:
998 # name: my-azure-storage-credentials
999 # key: account-access-key
1000# -- The section of custom artifact repository.
1001# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure)
1002customArtifactRepository: {}
1004# repoUrl: https://artifactory.example.com/raw
1006# name: artifactory-creds
1009# name: artifactory-creds
1012# -- The section of [artifact repository ref](https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/).
1013# Each map key is the name of configmap
1014# @default -- `{}` (See [values.yaml])
1015artifactRepositoryRef: {}
1017# # If you want to use this config map by default, name it "artifact-repositories".
1018# # Otherwise, you can provide a reference to a
1019# # different config map in `artifactRepositoryRef.configMap`.
1020# artifact-repositories:
1021# # -- v3.0 and after - if you want to use a specific key, put that key into this annotation.
1023# workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
1024# # 1st data of configmap. See above artifactRepository or customArtifactRepository.
1025# default-v1-s3-artifact-repository:
1029# endpoint: minio:9000
1032# name: my-minio-cred
1035# name: my-minio-cred
1038# oss-artifact-repository:
1041# endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
1043# # accessKeySecret and secretKeySecret are secret selectors.
1044# # It references the k8s secret named 'bucket-workflow-artifect-credentials'.
1045# # This secret is expected to have the keys 'accessKey'
1046# # and 'secretKey', containing the base64 encoded credentials
1049# name: $mybucket-credentials
1052# name: $mybucket-credentials
1055# another-artifact-repositories:
1057# workflows.argoproj.io/default-artifact-repository: gcs
1060# keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
1061# serviceAccountKeySecret:
1062# name: my-gcs-credentials
1063# key: serviceAccountKey
1066 # -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.
1067 ## See more: https://argo-workflows.readthedocs.io/en/stable/workflow-executors/#emissary-emissary
1069 # argoproj/argosay:v2:
1071 # docker/whalesay:latest: