argo-workflows
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
images:
2
# -- Common tag for Argo Workflows images. Defaults to `.Chart.AppVersion`.
3
tag: ""
4
# -- imagePullPolicy to apply to all containers
5
pullPolicy: Always
6
# -- Secrets with credentials to pull images from a private registry
7
pullSecrets: []
8
# - name: argo-pull-secret
9
## Custom resource configuration
10
crds:
11
# -- Install and upgrade CRDs
12
install: true
13
# -- Keep CRDs on chart uninstall
14
keep: true
15
# -- Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields.
16
# Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply.
17
full: true
18
# -- Annotations to be added to all CRDs (only applies when crds.full=false)
19
annotations: {}
20
# -- Configuration for the CRD install Job (only used when crds.full=true)
21
upgradeJob:
22
# -- Image for the kubectl container that applies CRDs
23
image:
24
# -- Repository for the kubectl image
25
repository: cgr.dev/chainguard-private/kubectl
26
# -- Tag for the kubectl image
27
tag: latest@sha256:2ad180bbbcc8d809f3a9ab75202adeddec89ee5554a46aff8ed5d0429f18a151
28
# -- Override base URL to download full CRD YAML files from. Defaults to this chart's release tag on GitHub. Ignored if hostPath is set.
29
crdBaseURL: ""
30
# -- Host path to mount CRD files from (for local/CI testing). When set, CRDs are applied from this path instead of downloading.
31
hostPath: ""
32
# -- Resources for the CRD install Job containers
33
resources: {}
34
# -- Node selector for the CRD install Job
35
nodeSelector: {}
36
# -- Tolerations for the CRD install Job
37
tolerations: []
38
# -- Image pull secrets for the CRD install Job
39
imagePullSecrets: []
40
# -- Extra environment variables to provide to the CRD install Job container
41
extraEnv: []
42
# - name: HTTP_PROXY
43
# value: "http://proxy.example.com:8080"
44
# - name: HTTPS_PROXY
45
# value: "http://proxy.example.com:8080"
46
# - name: NO_PROXY
47
# value: "localhost,127.0.0.1,10.96.0.0/12,192.168.0.0/16"
48
# -- Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs.
49
## Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
50
createAggregateRoles: true
51
# -- String to partially override "argo-workflows.fullname" template
52
nameOverride:
53
# -- String to fully override "argo-workflows.fullname" template
54
fullnameOverride:
55
# -- Override the namespace
56
# @default -- `.Release.Namespace`
57
namespaceOverride: ""
58
# -- Labels to set on all resources
59
commonLabels: {}
60
# -- Override the Kubernetes version, which is used to evaluate certain manifests
61
kubeVersionOverride: ""
62
# Override APIVersions
63
apiVersionOverrides:
64
# -- String to override apiVersion of autoscaling rendered by this helm chart
65
autoscaling: "" # autoscaling/v2
66
# -- String to override apiVersion of GKE resources rendered by this helm chart
67
cloudgoogle: "" # cloud.google.com/v1
68
# -- String to override apiVersion of monitoring CRDs (ServiceMonitor) rendered by this helm chart
69
monitoring: "" # monitoring.coreos.com/v1
70
# -- Restrict Argo to operate only in a single namespace (the namespace of the
71
# Helm release) by apply Roles and RoleBindings instead of the Cluster
72
# equivalents, and start workflow-controller with the --namespaced flag. Use it
73
# in clusters with strict access policy.
74
singleNamespace: false
75
workflow:
76
# -- Deprecated; use controller.workflowNamespaces instead.
77
namespace:
78
serviceAccount:
79
# -- Specifies whether a service account should be created
80
create: false
81
# -- Specifies whether a secret for each service account should be created
82
createSecret: false
83
# -- Labels applied to created service account
84
labels: {}
85
# -- Annotations applied to created service account
86
annotations: {}
87
# -- Service account which is used to run workflows
88
name: "argo-workflow"
89
# -- Secrets with credentials to pull images from a private registry. Same format as `.Values.images.pullSecrets`
90
pullSecrets: []
91
rbac:
92
# -- Adds Role and RoleBinding for the above specified service account to be able to run workflows.
93
# A Role and Rolebinding pair is also created for each namespace in controller.workflowNamespaces (see below)
94
create: true
95
# -- Allows permissions for the Argo Agent. Only required if using http/plugin templates
96
agentPermissions: false
97
# -- Allows permissions for the Argo Artifact GC pod. Only required if using artifact gc
98
artifactGC: false
99
# -- Extra service accounts to be added to the RoleBinding
100
serviceAccounts: []
101
# - name: my-service-account
102
# namespace: my-namespace
103
# -- Additional rules for the service account that runs the workflows.
104
rules: []
105
controller:
106
image:
107
# -- Registry to use for the controller
108
registry: cgr.dev
109
# -- Registry to use for the controller
110
repository: chainguard-private/argo-workflowcontroller
111
# -- Image tag for the workflow controller. Defaults to `.Values.images.tag`.
112
tag: latest@sha256:24712b85c065c9cf0ad26191cdbbb789c9d513c26f85d39b748254328f5f0c78
113
# -- parallelism dictates how many workflows can be running at the same time
114
parallelism:
115
# -- Globally limits the rate at which pods are created.
116
# This is intended to mitigate flooding of the Kubernetes API server by workflows with a large amount of
117
# parallel nodes.
118
resourceRateLimit: {}
119
# limit: 10
120
# burst: 1
121
122
rbac:
123
# -- Adds Role and RoleBinding for the controller.
124
create: true
125
# -- Allows controller to get, list, and watch certain k8s secrets
126
secretWhitelist: []
127
# -- Allows controller to get, list and watch all k8s secrets. Can only be used if secretWhitelist is empty.
128
accessAllSecrets: false
129
# -- Allows controller to create and update ConfigMaps. Enables memoization feature
130
writeConfigMaps: false
131
configMap:
132
# -- Create a ConfigMap for the controller
133
create: true
134
# -- ConfigMap name
135
name: ""
136
# -- ConfigMap annotations
137
annotations: {}
138
# -- Limits the maximum number of incomplete workflows in a namespace
139
namespaceParallelism:
140
# -- Resolves ongoing, uncommon AWS EKS bug: https://github.com/argoproj/argo-workflows/pull/4224
141
initialDelay:
142
# -- deploymentAnnotations is an optional map of annotations to be applied to the controller Deployment
143
deploymentAnnotations: {}
144
# -- podAnnotations is an optional map of annotations to be applied to the controller Pods
145
podAnnotations: {}
146
# -- Optional labels to add to the controller pods
147
podLabels: {}
148
# -- SecurityContext to set on the controller pods
149
podSecurityContext: {}
150
# podPortName: http
151
metricsConfig:
152
# -- Enables prometheus metrics server
153
enabled: false
154
# -- Path is the path where metrics are emitted. Must start with a "/".
155
path: /metrics
156
# -- Frequency at which prometheus scrapes metrics
157
interval: 30s
158
# -- Port is the port where metrics are emitted
159
port: 9090
160
# -- How often custom metrics are cleared from memory
161
metricsTTL: ""
162
# -- Flag that instructs prometheus to ignore metric emission errors.
163
ignoreErrors: false
164
# -- Flag that use a self-signed cert for TLS
165
secure: false
166
# -- Container metrics port name
167
portName: metrics
168
# -- Service metrics port
169
servicePort: 8080
170
# -- Service metrics port name
171
servicePortName: metrics
172
# -- serviceMonitor scheme
173
scheme: http
174
# -- Flag to enable headless service
175
headlessService: false
176
# -- When true, honorLabels preserves the metric’s labels when they collide with the target’s labels.
177
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#honorlabels
178
honorLabels: false
179
# -- ServiceMonitor relabel configs to apply to samples before scraping
180
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig
181
relabelings: []
182
# -- ServiceMonitor metric relabel configs to apply to samples before ingestion
183
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint
184
metricRelabelings: []
185
# -- ServiceMonitor will add labels from the service to the Prometheus metric
186
## Ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec
187
targetLabels: []
188
# -- Manipulate the metrics created by the workflow controller
189
## Ref: https://argo-workflows.readthedocs.io/en/latest/metrics/#modifiers
190
modifiers: {}
191
# -- the controller container's securityContext
192
securityContext:
193
readOnlyRootFilesystem: true
194
runAsNonRoot: true
195
allowPrivilegeEscalation: false
196
capabilities:
197
drop:
198
- ALL
199
# -- enable Workflow Archive to store the status of workflows. Postgres and MySQL (>= 5.7.8) are available.
200
## Ref: https://argo-workflows.readthedocs.io/en/stable/workflow-archive/
201
persistence: {}
202
# connectionPool:
203
# maxIdleConns: 100
204
# maxOpenConns: 0
205
# # save the entire workflow into etcd and DB
206
# nodeStatusOffLoad: false
207
# # enable archiving of old workflows
208
# archive: false
209
# postgresql:
210
# host: localhost
211
# port: 5432
212
# database: postgres
213
# tableName: argo_workflows
214
# # the database secrets must be in the same namespace of the controller
215
# userNameSecret:
216
# name: argo-postgres-config
217
# key: username
218
# passwordSecret:
219
# name: argo-postgres-config
220
# key: password
221
# ssl: true
222
# # sslMode must be one of: disable, require, verify-ca, verify-full
223
# # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
224
# sslMode: require
225
# mysql:
226
# host: localhost
227
# port: 3306
228
# database: argo
229
# tableName: argo_workflows
230
# userNameSecret:
231
# name: argo-mysql-config
232
# key: username
233
# passwordSecret:
234
# name: argo-mysql-config
235
# key: password
236
237
# -- Default values that will apply to all Workflows from this controller, unless overridden on the Workflow-level.
238
# Only valid for 2.7+
239
## See more: https://argo-workflows.readthedocs.io/en/stable/default-workflow-specs/
240
workflowDefaults: {}
241
# spec:
242
# ttlStrategy:
243
# secondsAfterCompletion: 86400
244
# # Ref: https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/
245
# artifactRepositoryRef:
246
# configMap: my-artifact-repository # default is "artifact-repositories"
247
# key: v2-s3-artifact-repository # default can be set by the `workflows.argoproj.io/default-artifact-repository` annotation in config map.
248
249
# -- Number of workflow workers
250
workflowWorkers: # 32
251
# -- Number of workflow TTL workers
252
workflowTTLWorkers: # 4
253
# -- Number of pod cleanup workers
254
podCleanupWorkers: # 4
255
# -- Number of cron workflow workers
256
# Only valid for 3.5+
257
cronWorkflowWorkers: # 8
258
# -- Restricts the Workflows that the controller will process.
259
# Only valid for 2.9+
260
workflowRestrictions: {}
261
# templateReferencing: Strict|Secure
262
263
# telemetryConfig controls the path and port for prometheus telemetry. Telemetry is enabled and emitted in the same endpoint
264
# as metrics by default, but can be overridden using this config.
265
telemetryConfig:
266
# -- Enables prometheus telemetry server
267
enabled: false
268
# -- telemetry path
269
path: /telemetry
270
# -- Frequency at which prometheus scrapes telemetry data
271
interval: 30s
272
# -- telemetry container port
273
port: 8081
274
# -- How often custom metrics are cleared from memory
275
metricsTTL: ""
276
# -- Flag that instructs prometheus to ignore metric emission errors.
277
ignoreErrors: false
278
# -- Flag that use a self-signed cert for TLS
279
secure: false
280
# -- telemetry service port
281
servicePort: 8081
282
# -- telemetry service port name
283
servicePortName: telemetry
284
# -- telemetry serviceMonitor scheme to use
285
scheme: http
286
serviceMonitor:
287
# -- Enable a prometheus ServiceMonitor
288
enabled: false
289
# -- Prometheus ServiceMonitor labels
290
additionalLabels: {}
291
# -- Prometheus ServiceMonitor namespace
292
namespace: "" # "monitoring"
293
serviceAccount:
294
# -- Create a service account for the controller
295
create: true
296
# -- Service account name
297
name: ""
298
# -- Labels applied to created service account
299
labels: {}
300
# -- Annotations applied to created service account
301
annotations: {}
302
# -- Workflow controller name string
303
name: workflow-controller
304
# -- Specify all namespaces where this workflow controller instance will manage
305
# workflows. This controls where the service account and RBAC resources will
306
# be created. Only valid when singleNamespace is false.
307
workflowNamespaces:
308
- default
309
instanceID:
310
# -- Configures the controller to filter workflow submissions
311
# to only those which have a matching instanceID attribute.
312
## NOTE: If `instanceID.enabled` is set to `true` then either `instanceID.userReleaseName`
313
## or `instanceID.explicitID` must be defined.
314
enabled: false
315
# -- Use ReleaseName as instanceID
316
useReleaseName: false
317
# useReleaseName: true
318
319
# -- Use a custom instanceID
320
explicitID: ""
321
# explicitID: unique-argo-controller-identifier
322
logging:
323
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
324
level: info
325
# -- Set the glog logging level
326
globallevel: "0"
327
# -- Set the logging format (one of: `text`, `json`)
328
format: "text"
329
# -- Service type of the controller Service
330
serviceType: ClusterIP
331
# -- Annotations to be applied to the controller Service
332
serviceAnnotations: {}
333
# -- Optional labels to add to the controller Service
334
serviceLabels: {}
335
# -- The class of the load balancer implementation
336
loadBalancerClass: ""
337
# -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
338
loadBalancerSourceRanges: []
339
# -- Resource limits and requests for the controller
340
resources: {}
341
# -- Configure liveness [probe] for the controller
342
# @default -- See [values.yaml]
343
livenessProbe:
344
httpGet:
345
port: 6060
346
path: /healthz
347
failureThreshold: 3
348
initialDelaySeconds: 90
349
periodSeconds: 60
350
timeoutSeconds: 30
351
# -- Extra environment variables to provide to the controller container
352
extraEnv: []
353
# - name: FOO
354
# value: "bar"
355
356
# -- Extra arguments to be added to the controller
357
extraArgs: []
358
# -- Additional volume mounts to the controller main container
359
volumeMounts: []
360
# -- Additional volumes to the controller pod
361
volumes: []
362
# -- The number of controller pods to run
363
replicas: 1
364
# -- The number of revisions to keep.
365
revisionHistoryLimit: 10
366
pdb:
367
# -- Configure [Pod Disruption Budget] for the controller pods
368
enabled: false
369
# minAvailable: 1
370
# maxUnavailable: 1
371
# -- [Node selector]
372
nodeSelector:
373
kubernetes.io/os: linux
374
# -- [Tolerations] for use with node taints
375
tolerations: []
376
# -- Assign custom [affinity] rules
377
affinity: {}
378
# -- Assign custom [TopologySpreadConstraints] rules to the workflow controller
379
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
380
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
381
topologySpreadConstraints: []
382
# - maxSkew: 1
383
# topologyKey: topology.kubernetes.io/zone
384
# whenUnsatisfiable: DoNotSchedule
385
386
# -- Leverage a PriorityClass to ensure your pods survive resource shortages.
387
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
388
priorityClassName: ""
389
# -- Configure Argo Server to show custom [links]
390
## Ref: https://argo-workflows.readthedocs.io/en/stable/links/
391
links: []
392
# -- Configure Argo Server to show custom [columns]
393
## Ref: https://github.com/argoproj/argo-workflows/pull/10693
394
columns: []
395
# -- Set ui navigation bar background color
396
navColor: ""
397
clusterWorkflowTemplates:
398
# -- Create a ClusterRole and CRB for the controller to access ClusterWorkflowTemplates.
399
enabled: true
400
# -- Extra service accounts to be added to the ClusterRoleBinding
401
serviceAccounts: []
402
# - name: my-service-account
403
# namespace: my-namespace
404
# -- Extra containers to be added to the controller deployment
405
extraContainers: []
406
# -- Enables init containers to be added to the controller deployment
407
extraInitContainers: []
408
# -- Workflow retention by number of workflows
409
retentionPolicy: {}
410
# completed: 10
411
# failed: 3
412
# errored: 3
413
414
nodeEvents:
415
# -- Enable to emit events on node completion.
416
## This can take up a lot of space in k8s (typically etcd) resulting in errors when trying to create new events:
417
## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
418
enabled: true
419
workflowEvents:
420
# -- Enable to emit events on workflow status changes.
421
## This can take up a lot of space in k8s (typically etcd), resulting in errors when trying to create new events:
422
## "Unable to create audit event: etcdserver: mvcc: database space exceeded"
423
enabled: true
424
# -- Configure when workflow controller runs in a different k8s cluster with the workflow workloads,
425
# or needs to communicate with the k8s apiserver using an out-of-cluster kubeconfig secret.
426
# @default -- `{}` (See [values.yaml])
427
kubeConfig: {}
428
# # name of the kubeconfig secret, may not be empty when kubeConfig specified
429
# secretName: kubeconfig-secret
430
# # key of the kubeconfig secret, may not be empty when kubeConfig specified
431
# secretKey: kubeconfig
432
# # mounting path of the kubeconfig secret, default to /kube/config
433
# mountPath: /kubeconfig/mount/path
434
# # volume name when mounting the secret, default to kubeconfig
435
# volumeName: kube-config-volume
436
437
# -- Specifies the duration in seconds before a terminating pod is forcefully killed. A zero value indicates that the pod will be forcefully terminated immediately.
438
# @default -- `30` seconds (Kubernetes default)
439
podGCGracePeriodSeconds:
440
# -- The duration in seconds before the pods in the GC queue get deleted. A zero value indicates that the pods will be deleted immediately.
441
# @default -- `5s` (Argo Workflows default)
442
podGCDeleteDelayDuration: ""
443
# -- enable Synchronization to use a database. Postgres and MySQL (>= 5.7.8) are available.
444
## Ref: https://argo-workflows.readthedocs.io/en/latest/workflow-controller-configmap/#syncconfig
445
synchronization: {}
446
# controllerName: argo-workflows
447
# connectionPool:
448
# maxIdleConns: 100
449
# maxOpenConns: 0
450
# postgresql:
451
# host: localhost
452
# port: 5432
453
# database: postgres
454
# tableName: argo_workflows
455
# # the database secrets must be in the same namespace of the controller
456
# userNameSecret:
457
# name: argo-postgres-config
458
# key: username
459
# passwordSecret:
460
# name: argo-postgres-config
461
# key: password
462
# ssl: true
463
# # sslMode must be one of: disable, require, verify-ca, verify-full
464
# # you can find more information about those ssl options here: https://godoc.org/github.com/lib/pq
465
# sslMode: require
466
# mysql:
467
# host: localhost
468
# port: 3306
469
# database: argo
470
# tableName: argo_workflows
471
# userNameSecret:
472
# name: argo-mysql-config
473
# key: username
474
# passwordSecret:
475
# name: argo-mysql-config
476
# key: password
477
478
failedPodRestart:
479
# -- Enable to restart of pods that fail before entering Running state.
480
## This is useful for recovering from transient infrastructure issues like node eviction due to DiskPressure or MemoryPressure without requiring a retryStrategy on every template.
481
## ref: https://argo-workflows.readthedocs.io/en/latest/pod-restarts/
482
enabled: false
483
# -- Maximum number of automatic restarts per node before giving up.
484
maxRestarts: 3
485
# mainContainer adds default config for main container that could be overriden in workflows template
486
mainContainer:
487
# -- imagePullPolicy to apply to Workflow main container. Defaults to `.Values.images.pullPolicy`.
488
imagePullPolicy: ""
489
# -- Resource limits and requests for the Workflow main container
490
resources: {}
491
# -- Adds environment variables for the Workflow main container
492
env: []
493
# -- Adds reference environment variables for the Workflow main container
494
envFrom: []
495
# -- sets security context for the Workflow main container
496
securityContext: {}
497
# executor controls how the init and wait container should be customized
498
executor:
499
image:
500
# -- Registry to use for the Workflow Executors
501
registry: cgr.dev
502
# -- Repository to use for the Workflow Executors
503
repository: chainguard-private/argo-exec
504
# -- Image tag for the workflow executor. Defaults to `.Values.images.tag`.
505
tag: latest@sha256:0ca6a3cb88ccf4f36523d698f7d5e8a882f1dbbb890a3aa78ecb402f5caac324
506
# -- Image PullPolicy to use for the Workflow Executors. Defaults to `.Values.images.pullPolicy`.
507
pullPolicy: ""
508
# -- Resource limits and requests for the Workflow Executors
509
resources: {}
510
# -- Passes arguments to the executor processes
511
args: []
512
# -- Adds environment variables for the executor.
513
env: []
514
# -- sets security context for the executor container
515
securityContext: {}
516
server:
517
# -- Deploy the Argo Server
518
enabled: true
519
# -- Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /.
520
## only updates base url of resources on client side,
521
## it's expected that a proxy server rewrites the request URL and gets rid of this prefix
522
## https://github.com/argoproj/argo-workflows/issues/716#issuecomment-433213190
523
baseHref: /
524
image:
525
# -- Registry to use for the server
526
registry: cgr.dev
527
# -- Repository to use for the server
528
repository: chainguard-private/argo-cli
529
# -- Image tag for the Argo Workflows server. Defaults to `.Values.images.tag`.
530
tag: latest@sha256:0e652c7e3d677a5a9b508fa4cd18423dc0aaec92e6bf52b38dd081b4e6f6a976
531
# -- optional map of annotations to be applied to the ui Deployment
532
deploymentAnnotations: {}
533
# -- optional map of annotations to be applied to the ui Pods
534
podAnnotations: {}
535
# -- Optional labels to add to the UI pods
536
podLabels: {}
537
# -- SecurityContext to set on the server pods
538
podSecurityContext: {}
539
rbac:
540
# -- Adds Role and RoleBinding for the server.
541
create: true
542
# -- Servers container-level security context
543
securityContext:
544
readOnlyRootFilesystem: false
545
runAsNonRoot: true
546
allowPrivilegeEscalation: false
547
capabilities:
548
drop:
549
- ALL
550
# -- Server name string
551
name: server
552
# -- Service type for server pods
553
serviceType: ClusterIP
554
# -- Service port for server
555
servicePort: 2746
556
# -- Service target port for server
557
serviceTargetPort: 2746
558
# -- Service node port
559
serviceNodePort: # 32746
560
# -- Service port name
561
servicePortName: "" # http
562
# -- Mapping between IP and hostnames that will be injected as entries in the pod's hosts files
563
hostAliases: []
564
# - ip: 10.20.30.40
565
# hostnames:
566
# - git.myhostname
567
568
serviceAccount:
569
# -- Create a service account for the server
570
create: true
571
# -- Service account name
572
name: ""
573
# -- Labels applied to created service account
574
labels: {}
575
# -- Annotations applied to created service account
576
annotations: {}
577
# -- Annotations to be applied to the UI Service
578
serviceAnnotations: {}
579
# -- Optional labels to add to the UI Service
580
serviceLabels: {}
581
# -- The class of the load balancer implementation
582
loadBalancerClass: ""
583
# -- Static IP address to assign to loadBalancer service type `LoadBalancer`
584
loadBalancerIP: ""
585
# -- Source ranges to allow access to service from. Only applies to service type `LoadBalancer`
586
loadBalancerSourceRanges: []
587
# -- Resource limits and requests for the server
588
resources: {}
589
# -- The number of server pods to run
590
replicas: 1
591
# -- The number of revisions to keep.
592
revisionHistoryLimit: 10
593
## Argo Server Horizontal Pod Autoscaler
594
autoscaling:
595
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo Server
596
enabled: false
597
# -- Minimum number of replicas for the Argo Server [HPA]
598
minReplicas: 1
599
# -- Maximum number of replicas for the Argo Server [HPA]
600
maxReplicas: 5
601
# -- Average CPU utilization percentage for the Argo Server [HPA]
602
targetCPUUtilizationPercentage: 50
603
# -- Average memory utilization percentage for the Argo Server [HPA]
604
targetMemoryUtilizationPercentage: 50
605
# -- Configures the scaling behavior of the target in both Up and Down directions.
606
# This is only available on HPA apiVersion `autoscaling/v2beta2` and newer
607
behavior: {}
608
# scaleDown:
609
# stabilizationWindowSeconds: 300
610
# policies:
611
# - type: Pods
612
# value: 1
613
# periodSeconds: 180
614
# scaleUp:
615
# stabilizationWindowSeconds: 300
616
# policies:
617
# - type: Pods
618
# value: 2
619
pdb:
620
# -- Configure [Pod Disruption Budget] for the server pods
621
enabled: false
622
# minAvailable: 1
623
# maxUnavailable: 1
624
# -- [Node selector]
625
nodeSelector:
626
kubernetes.io/os: linux
627
# -- [Tolerations] for use with node taints
628
tolerations: []
629
# -- Assign custom [affinity] rules
630
affinity: {}
631
# -- Assign custom [TopologySpreadConstraints] rules to the argo server
632
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
633
## If labelSelector is left out, it will default to the labelSelector configuration of the deployment
634
topologySpreadConstraints: []
635
# - maxSkew: 1
636
# topologyKey: topology.kubernetes.io/zone
637
# whenUnsatisfiable: DoNotSchedule
638
639
# -- Leverage a PriorityClass to ensure your pods survive resource shortages
640
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
641
priorityClassName: ""
642
# -- Run the argo server in "secure" mode. Configure this value instead of `--secure` in extraArgs.
643
## See the following documentation for more details on secure mode:
644
## https://argo-workflows.readthedocs.io/en/stable/tls/
645
secure: false
646
# -- Extra environment variables to provide to the argo-server container
647
extraEnv: []
648
# - name: FOO
649
# value: "bar"
650
651
# -- Deprecated; use server.authModes instead.
652
authMode: ""
653
# -- A list of supported authentication modes. Available values are `server`, `client`, or `sso`. If you provide sso, please configure `.Values.server.sso` as well.
654
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server-auth-mode/
655
authModes: []
656
# -- Extra arguments to provide to the Argo server binary.
657
## Ref: https://argo-workflows.readthedocs.io/en/stable/argo-server/#options
658
extraArgs: []
659
logging:
660
# -- Set the logging level (one of: `debug`, `info`, `warn`, `error`)
661
level: info
662
# -- Set the glog logging level
663
globallevel: "0"
664
# -- Set the logging format (one of: `text`, `json`)
665
format: "text"
666
# -- Volume to be mounted in Pods for temporary files.
667
tmpVolume:
668
emptyDir: {}
669
# -- Additional volume mounts to the server main container.
670
volumeMounts: []
671
# -- Additional volumes to the server pod.
672
volumes: []
673
## Ingress configuration.
674
# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
675
ingress:
676
# -- Enable an ingress resource
677
enabled: false
678
# -- Additional ingress annotations
679
annotations: {}
680
# -- Additional ingress labels
681
labels: {}
682
# -- Defines which ingress controller will implement the resource
683
ingressClassName: ""
684
# -- List of ingress hosts
685
## Hostnames must be provided if Ingress is enabled.
686
## Secrets must be manually created in the namespace
687
hosts: []
688
# - argoworkflows.example.com
689
690
# -- List of ingress paths
691
paths:
692
- /
693
# -- Ingress path type. One of `Exact`, `Prefix` or `ImplementationSpecific`
694
pathType: Prefix
695
# -- Additional ingress paths
696
extraPaths: []
697
# - path: /*
698
# backend:
699
# serviceName: ssl-redirect
700
# servicePort: use-annotation
701
## for Kubernetes >=1.19 (when "networking.k8s.io/v1" is used)
702
# - path: /*
703
# pathType: Prefix
704
# backend:
705
# service
706
# name: ssl-redirect
707
# port:
708
# name: use-annotation
709
710
# -- Ingress TLS configuration
711
tls: []
712
# - secretName: argoworkflows-example-tls
713
# hosts:
714
# - argoworkflows.example.com
715
## Create a Google Backendconfig for use with the GKE Ingress Controller
716
## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
717
GKEbackendConfig:
718
# -- Enable BackendConfig custom resource for Google Kubernetes Engine
719
enabled: false
720
# -- [BackendConfigSpec]
721
spec: {}
722
# spec:
723
# iap:
724
# enabled: true
725
# oauthclientCredentials:
726
# secretName: argoworkflows-secret
727
728
## Create a Google Managed Certificate for use with the GKE Ingress Controller
729
## https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
730
GKEmanagedCertificate:
731
# -- Enable ManagedCertificate custom resource for Google Kubernetes Engine.
732
enabled: false
733
# -- Domains for the Google Managed Certificate
734
domains:
735
- argoworkflows.example.com
736
## Create a Google FrontendConfig Custom Resource, for use with the GKE Ingress Controller
737
## https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features#configuring_ingress_features_through_frontendconfig_parameters
738
GKEfrontendConfig:
739
# -- Enable FrontConfig custom resource for Google Kubernetes Engine
740
enabled: false
741
# -- [FrontendConfigSpec]
742
spec: {}
743
# spec:
744
# redirectToHttps:
745
# enabled: true
746
# responseCodeName: RESPONSE_CODE
747
748
# Gateway API HTTPRoute configuration
749
# NOTE: Gateway API support is in EXPERIMENTAL status
750
# Support depends on your Gateway controller implementation
751
# Some controllers may require additional configuration (e.g., BackendTLSPolicy for HTTPS backends)
752
# Refer to https://gateway-api.sigs.k8s.io/implementations/ for controller-specific details
753
httproute:
754
# -- Enable HTTPRoute resource for Argo Workflows server (Gateway API)
755
enabled: false
756
# -- Additional HTTPRoute labels
757
labels: {}
758
# -- Additional HTTPRoute annotations
759
annotations: {}
760
# -- Gateway API parentRefs for the HTTPRoute
761
## Must reference an existing Gateway
762
# @default -- `[]` (See [values.yaml])
763
parentRefs: []
764
# - name: example-gateway
765
# namespace: example-gateway-namespace
766
# sectionName: https
767
# -- List of hostnames for the HTTPRoute
768
# @default -- `[]` (See [values.yaml])
769
hostnames: []
770
# - argoworkflows.example.com
771
# -- HTTPRoute rules configuration
772
# @default -- `[]` (See [values.yaml])
773
rules:
774
- matches:
775
- path:
776
type: PathPrefix
777
value: /
778
# filters: []
779
# - type: RequestHeaderModifier
780
# requestHeaderModifier:
781
# add:
782
# - name: X-Custom-Header
783
# value: custom-value
784
# timeouts:
785
# request: 10s
786
# backendRequest: 2s
787
# Gateway API BackendTLSPolicy configuration
788
# NOTE: BackendTLSPolicy support is in EXPERIMENTAL status
789
# Required for HTTPS backends when using Gateway API
790
# Not all Gateway controllers support this resource (e.g., Cilium does not support it yet)
791
backendTLSPolicy:
792
# -- Enable BackendTLSPolicy resource for Argo Workflows server (Gateway API)
793
enabled: false
794
# -- Additional BackendTLSPolicy labels
795
labels: {}
796
# -- Additional BackendTLSPolicy annotations
797
annotations: {}
798
# -- Target references for the BackendTLSPolicy
799
# @default -- `[]` (See [values.yaml])
800
targetRefs: []
801
# - group: ""
802
# kind: Service
803
# name: argo-workflows-server
804
# sectionName: https
805
# -- TLS validation configuration
806
# @default -- `{}` (See [values.yaml])
807
validation: {}
808
# hostname: argo-workflows-server.argo.svc.cluster.local
809
# caCertificateRefs:
810
# - name: example-ca-cert
811
# group: ""
812
# kind: ConfigMap
813
# wellKnownCACertificates: System
814
clusterWorkflowTemplates:
815
# -- Create a ClusterRole and CRB for the server to access ClusterWorkflowTemplates.
816
enabled: true
817
# -- Give the server permissions to edit ClusterWorkflowTemplates.
818
enableEditing: true
819
# SSO configuration when SSO is specified as a server auth mode.
820
sso:
821
# -- Create SSO configuration. If you set `true` , please also set `.Values.server.authModes` as `sso`.
822
enabled: false
823
# -- The root URL of the OIDC identity provider
824
issuer: https://accounts.google.com
825
clientId:
826
# -- Name of secret to retrieve the app OIDC client ID
827
name: argo-server-sso
828
# -- Key of secret to retrieve the app OIDC client ID
829
key: client-id
830
clientSecret:
831
# -- Name of a secret to retrieve the app OIDC client secret
832
name: argo-server-sso
833
# -- Key of a secret to retrieve the app OIDC client secret
834
key: client-secret
835
# -- The OIDC redirect URL. Should be in the form <argo-root-url>/oauth2/callback.
836
redirectUrl: ""
837
rbac:
838
# -- Adds ServiceAccount Policy to server (Cluster)Role.
839
enabled: true
840
# -- Whitelist to allow server to fetch Secrets
841
## When present, restricts secrets the server can read to a given list.
842
## You can use it to restrict the server to only be able to access the
843
## service account token secrets that are associated with service accounts
844
## used for authorization.
845
secretWhitelist: []
846
# -- Scopes requested from the SSO ID provider
847
## The 'groups' scope requests group membership information, which is usually used for authorization decisions.
848
scopes: []
849
# - groups
850
# -- Define how long your login is valid for (in hours)
851
## If omitted, defaults to 10h.
852
sessionExpiry: ""
853
# -- Alternate root URLs that can be included for some OIDC providers
854
issuerAlias: ""
855
# -- Override claim name for OIDC groups
856
customGroupClaimName: ""
857
# -- Specify the user info endpoint that contains the groups claim
858
## Configure this if your OIDC provider provides groups information only using the user-info endpoint (e.g. Okta)
859
userInfoPath: ""
860
# -- Skip TLS verification for the HTTP client
861
insecureSkipVerify: false
862
# -- Filter the groups returned by the OIDC provider
863
## A logical "OR" is used between each regex in the list
864
filterGroupsRegex: []
865
# - ".*argo-wf.*"
866
# - ".*argo-workflow.*"
867
# -- Extra containers to be added to the server deployment
868
extraContainers: []
869
# -- Enables init containers to be added to the server deployment
870
extraInitContainers: []
871
# -- Specify postStart and preStop lifecycle hooks for server container
872
lifecycle: {}
873
# -- terminationGracePeriodSeconds for container lifecycle hook
874
terminationGracePeriodSeconds: 30
875
## livenessProbe for server
876
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
877
livenessProbe:
878
# -- Enable Kubernetes liveness probe for server
879
enabled: false
880
httpGet:
881
# -- Http port to use for the liveness probe
882
port: 2746
883
# -- Http path to use for the liveness probe
884
path: /
885
# -- Minimum consecutive failures for the [probe] to be considered failed after having succeeded
886
failureThreshold: 3
887
# -- Number of seconds after the container has started before [probe] is initiated
888
initialDelaySeconds: 10
889
# -- How often (in seconds) to perform the [probe]
890
periodSeconds: 10
891
# -- Number of seconds after which the [probe] times out
892
timeoutSeconds: 1
893
# -- Minimum consecutive successes for the [probe] to be considered successful after having failed
894
successThreshold: 1
895
# -- Array of extra K8s manifests to deploy
896
extraObjects: []
897
# - apiVersion: secrets-store.csi.x-k8s.io/v1
898
# kind: SecretProviderClass
899
# metadata:
900
# name: argo-server-sso
901
# spec:
902
# provider: aws
903
# parameters:
904
# objects: |
905
# - objectName: "argo/server/sso"
906
# objectType: "secretsmanager"
907
# jmesPath:
908
# - path: "client_id"
909
# objectAlias: "client_id"
910
# - path: "client_secret"
911
# objectAlias: "client_secret"
912
# secretObjects:
913
# - data:
914
# - key: client_id
915
# objectName: client_id
916
# - key: client_secret
917
# objectName: client_secret
918
# secretName: argo-server-sso-secrets-store
919
# type: Opaque
920
921
# -- Use static credentials for S3 (eg. when not using AWS IRSA)
922
useStaticCredentials: true
923
artifactRepository:
924
# -- Archive the main container logs as an artifact
925
archiveLogs: false
926
# -- Store artifact in a S3-compliant object store
927
# @default -- See [values.yaml]
928
s3: {}
929
# # Note the `key` attribute is not the actual secret, it's the PATH to
930
# # the contents in the associated secret, as defined by the `name` attribute.
931
# accessKeySecret:
932
# name: "{{ .Release.Name }}-minio"
933
# key: accesskey
934
# secretKeySecret:
935
# name: "{{ .Release.Name }}-minio"
936
# key: secretkey
937
# sessionTokenSecret:
938
# name: "{{ .Release.Name }}-minio"
939
# key: sessionToken
940
# # insecure will disable TLS. Primarily used for minio installs not configured with TLS
941
# insecure: false
942
# caSecret:
943
# name: ca-root
944
# key: cert.pem
945
# bucket:
946
# endpoint:
947
# region:
948
# roleARN:
949
# useSDKCreds: true
950
# encryptionOptions:
951
# enableEncryption: true
952
# -- Store artifact in a GCS object store
953
# @default -- `{}` (See [values.yaml])
954
gcs: {}
955
# bucket: <project>-argo
956
# keyFormat: "{{ \"{{workflow.namespace}}/{{workflow.name}}/{{pod.name}}\" }}"
957
# # serviceAccountKeySecret is a secret selector.
958
# # It references the k8s secret named 'my-gcs-credentials'.
959
# # This secret is expected to have the key 'serviceAccountKey',
960
# # containing the base64 encoded credentials
961
# # to the bucket.
962
# #
963
# # If it's running on GKE and Workload Identity is used,
964
# # serviceAccountKeySecret is not needed.
965
# serviceAccountKeySecret:
966
# name: my-gcs-credentials
967
# key: serviceAccountKey
968
# -- Store artifact in Azure Blob Storage
969
# @default -- `{}` (See [values.yaml])
970
azure: {}
971
# endpoint: https://mystorageaccountname.blob.core.windows.net
972
# container: my-container-name
973
# blobNameFormat: path/in/container
974
# # accountKeySecret is a secret selector.
975
# # It references the k8s secret named 'my-azure-storage-credentials'.
976
# # This secret is expected to have the key 'account-access-key',
977
# # containing the base64 encoded credentials to the storage account.
978
# # If a managed identity has been assigned to the machines running the
979
# # workflow (e.g., https://docs.microsoft.com/en-us/azure/aks/use-managed-identity)
980
# # then accountKeySecret is not needed, and useSDKCreds should be
981
# # set to true instead:
982
# useSDKCreds: true
983
# accountKeySecret:
984
# name: my-azure-storage-credentials
985
# key: account-access-key
986
# -- The section of custom artifact repository.
987
# Utilize a custom artifact repository that is not one of the current base ones (s3, gcs, azure)
988
customArtifactRepository: {}
989
# artifactory:
990
# repoUrl: https://artifactory.example.com/raw
991
# usernameSecret:
992
# name: artifactory-creds
993
# key: username
994
# passwordSecret:
995
# name: artifactory-creds
996
# key: password
997
998
# -- The section of [artifact repository ref](https://argo-workflows.readthedocs.io/en/stable/artifact-repository-ref/).
999
# Each map key is the name of configmap
1000
# @default -- `{}` (See [values.yaml])
1001
artifactRepositoryRef: {}
1002
# # -- 1st ConfigMap
1003
# # If you want to use this config map by default, name it "artifact-repositories".
1004
# # Otherwise, you can provide a reference to a
1005
# # different config map in `artifactRepositoryRef.configMap`.
1006
# artifact-repositories:
1007
# # -- v3.0 and after - if you want to use a specific key, put that key into this annotation.
1008
# annotations:
1009
# workflows.argoproj.io/default-artifact-repository: default-v1-s3-artifact-repository
1010
# # 1st data of configmap. See above artifactRepository or customArtifactRepository.
1011
# default-v1-s3-artifact-repository:
1012
# archiveLogs: false
1013
# s3:
1014
# bucket: my-bucket
1015
# endpoint: minio:9000
1016
# insecure: true
1017
# accessKeySecret:
1018
# name: my-minio-cred
1019
# key: accesskey
1020
# secretKeySecret:
1021
# name: my-minio-cred
1022
# key: secretkey
1023
# # 2nd data
1024
# oss-artifact-repository:
1025
# archiveLogs: false
1026
# oss:
1027
# endpoint: http://oss-cn-zhangjiakou-internal.aliyuncs.com
1028
# bucket: $mybucket
1029
# # accessKeySecret and secretKeySecret are secret selectors.
1030
# # It references the k8s secret named 'bucket-workflow-artifect-credentials'.
1031
# # This secret is expected to have the keys 'accessKey'
1032
# # and 'secretKey', containing the base64 encoded credentials
1033
# # to the bucket.
1034
# accessKeySecret:
1035
# name: $mybucket-credentials
1036
# key: accessKey
1037
# secretKeySecret:
1038
# name: $mybucket-credentials
1039
# key: secretKey
1040
# # 2nd ConfigMap
1041
# another-artifact-repositories:
1042
# annotations:
1043
# workflows.argoproj.io/default-artifact-repository: gcs
1044
# gcs:
1045
# bucket: my-bucket
1046
# keyFormat: prefix/in/bucket/{{workflow.name}}/{{pod.name}}
1047
# serviceAccountKeySecret:
1048
# name: my-gcs-credentials
1049
# key: serviceAccountKey
1050
1051
emissary:
1052
# -- The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used.
1053
## See more: https://argo-workflows.readthedocs.io/en/stable/workflow-executors/#emissary-emissary
1054
images: []
1055
# argoproj/argosay:v2:
1056
# cmd: [/argosay]
1057
# docker/whalesay:latest:
1058
# cmd: [/bin/bash]
1059
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.