Merge pull request #97 from codefresh-io/feat/acr-controller

feat: support acr controller as part of argocd deployment

Author: pasha-codefresh

charts/argo-cd/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: v2.12-2024.9.9-ba613c5bd
+appVersion: v2.12-2024.9.23-0dc32342c
 kubeVersion: ">=1.23.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
@@ -27,4 +27,4 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: changed
-      description: Upgrade argo-cd to v2.12-2024.9.9-ba613c5bd with reporting of resources health errors on level with application event
+      description: Upgrade argo-cd to v2.12-2024.9.23-0dc32342c with and add acr controller support

charts/argo-cd/README.md

@@ -669,6 +669,47 @@ NAME: my-release
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| acrController.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules to the deployment |
+| acrController.clusterRoleRules.enabled | bool | `false` | Enable custom rules for the acr controller's ClusterRole resource |
+| acrController.clusterRoleRules.rules | list | `[]` | List of custom rules for the acr controller's ClusterRole resource |
+| acrController.containerPorts.health | int | `8090` |  |
+| acrController.containerSecurityContext | object | See [values.yaml] | acr controller container-level security context |
+| acrController.dnsConfig | object | `{}` | [DNS configuration] |
+| acrController.dnsPolicy | string | `"ClusterFirst"` | Alternative DNS policy for acr controller pods |
+| acrController.enabled | bool | `false` |  |
+| acrController.env | list | `[]` | Environment variables to pass to acr controller |
+| acrController.envFrom | list | `[]` (See [values.yaml]) | envFrom to pass to acr controller |
+| acrController.extraArgs | list | `[]` | Additional command line arguments to pass to acr controller |
+| acrController.extraContainers | list | `[]` | Additional containers to be added to the acr controller pod |
+| acrController.hostNetwork | bool | `false` | Host Network for acr controller pods |
+| acrController.image.imagePullPolicy | string | `""` (defaults to global.image.imagePullPolicy) | Image pull policy for the acr controller |
+| acrController.image.repository | string | `""` (defaults to global.image.repository) | Repository to use for the acr controller |
+| acrController.image.tag | string | `""` (defaults to global.image.tag) | Tag to use for the acr controller |
+| acrController.imagePullSecrets | list | `[]` (defaults to global.imagePullSecrets) | Secrets with credentials to pull images from a private registry |
+| acrController.initContainers | list | `[]` | Init containers to add to the acr controller pod |
+| acrController.name | string | `"acr-controller"` |  |
+| acrController.nodeSelector | object | `{}` (defaults to global.nodeSelector) | [Node selector] |
+| acrController.podAnnotations | object | `{}` | Annotations to be added to acr controller pods |
+| acrController.podLabels | object | `{}` | Labels to be added to acr controller pods |
+| acrController.priorityClassName | string | `""` (defaults to global.priorityClassName) | Priority class for the acr controller pods |
+| acrController.readinessProbe.failureThreshold | int | `3` | Minimum consecutive failures for the [probe] to be considered failed after having succeeded |
+| acrController.readinessProbe.initialDelaySeconds | int | `10` | Number of seconds after the container has started before [probe] is initiated |
+| acrController.readinessProbe.periodSeconds | int | `10` | How often (in seconds) to perform the [probe] |
+| acrController.readinessProbe.successThreshold | int | `1` | Minimum consecutive successes for the [probe] to be considered successful after having failed |
+| acrController.readinessProbe.timeoutSeconds | int | `1` | Number of seconds after which the [probe] times out |
+| acrController.replicas | int | `1` |  |
+| acrController.resources | object | `{}` | Resource limits and requests for the acr controller pods |
+| acrController.serviceAccount.annotations | object | `{}` | Annotations applied to created service account |
+| acrController.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
+| acrController.serviceAccount.create | bool | `true` | Create a service account for the acr controller |
+| acrController.serviceAccount.labels | object | `{}` | Labels applied to created service account |
+| acrController.serviceAccount.name | string | `"acr-controller"` | Service account name |
+| acrController.statefulsetAnnotations | object | `{}` | Annotations for the acr controller StatefulSet |
+| acrController.terminationGracePeriodSeconds | int | `30` | terminationGracePeriodSeconds for container lifecycle hook |
+| acrController.tolerations | list | `[]` (defaults to global.tolerations) | [Tolerations] for use with node taints |
+| acrController.topologySpreadConstraints | list | `[]` (defaults to global.topologySpreadConstraints) | Assign custom [TopologySpreadConstraints] rules to the acr controller |
+| acrController.volumeMounts | list | `[]` | Additional volumeMounts to the acr controller main container |
+| acrController.volumes | list | `[]` | Additional volumes to the acr controller pod |
 | apiVersionOverrides | object | `{}` |  |
 | applicationVersioning.enabled | bool | `true` | enables the Codefresh application versioning feature |
 | applicationVersioning.useApplicationConfiguration | bool | `true` | use ApplicationConfiguration CRD to manage application versioning |

charts/argo-cd/templates/_helpers.tpl

@@ -285,3 +285,20 @@ Helper template to set argocd server url in event reporter
   {{- end }}
   {{- printf "%s:%v" (include "argo-cd.server.fullname" .) $port }}
 {{- end -}}
+
+{{/*
+  Create acr controller name and version as used by the chart label.
+*/}}
+{{- define "argo-cd.acr-controller.fullname" -}}
+{{- printf "%s-%s" (include "argo-cd.fullname" .) .Values.acrController.name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{/*
+  Create the name of the acr controller service account to use
+  */}}
+{{- define "argo-cd.acrControllerServiceAccountName" -}}
+{{- if .Values.acrController.serviceAccount.create -}}
+{{ default (include "argo-cd.acr-controller.fullname" .) .Values.acrController.serviceAccount.name }}
+{{- else -}}
+{{ default "default" .Values.acrController.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

charts/argo-cd/templates/acr-controller/clusterrole.yaml

@@ -0,0 +1,26 @@
+{{- if .Values.acrController.enabled }}
+{{- $config := .Values.acrController.clusterAdminAccess | default dict -}}
+{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "argo-cd.acr-controller.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
+rules:
+  {{- if .Values.acrController.clusterRoleRules.enabled }}
+    {{- toYaml .Values.acrController.clusterRoleRules.rules | nindent 2 }}
+  {{- else }}
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applications
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - update
+{{- end }}
+{{- end }}
+{{- end }}

charts/argo-cd/templates/acr-controller/clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.acrController.enabled }}
+{{- $config := .Values.acrController.clusterAdminAccess | default dict -}}
+{{- if hasKey $config "enabled" | ternary $config.enabled .Values.createClusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "argo-cd.acr-controller.fullname" . }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "argo-cd.acr-controller.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "argo-cd.acrControllerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
+{{- end }}

charts/argo-cd/templates/acr-controller/deployment.yaml

@@ -0,0 +1,161 @@
+{{- if .Values.acrController.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  {{- with (mergeOverwrite (deepCopy .Values.global.statefulsetAnnotations) .Values.acrController.statefulsetAnnotations) }}
+  annotations:
+    {{- range $key, $value := . }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  name: {{ template "argo-cd.acr-controller.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
+spec:
+  replicas: {{ .Values.acrController.replicas }}
+  # TODO: Remove for breaking release as history limit cannot be patched
+  revisionHistoryLimit: 5
+  selector:
+    matchLabels:
+      {{- include "argo-cd.selectorLabels" (dict "context" . "name" .Values.acrController.name) | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 8 }}
+        {{- with (mergeOverwrite (deepCopy .Values.global.podLabels) .Values.acrController.podLabels) }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.acrController.imagePullSecrets | default .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.global.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.acrController.priorityClassName | default .Values.global.priorityClassName }}
+      priorityClassName: {{ . }}
+      {{- end }}
+      {{- if .Values.acrController.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.acrController.terminationGracePeriodSeconds }}
+      {{- end }}
+      serviceAccountName: {{ include "argo-cd.acrControllerServiceAccountName" . }}
+      containers:
+      - args:
+        - /usr/local/bin/argocd-application-change-revision-controller
+        {{- with .Values.acrController.extraArgs }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+        image: {{ default .Values.global.image.repository .Values.acrController.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.acrController.image.tag }}
+        imagePullPolicy: {{ default .Values.global.image.imagePullPolicy .Values.acrController.image.imagePullPolicy }}
+        name: {{ .Values.acrController.name }}
+        env:
+          {{- with (concat .Values.global.env .Values.acrController.env) }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+            - name: ARGOCD_SERVER
+              value: "http://argocd-server:80"
+            - name: ARGOCD_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  key: token
+                  name: argocd-token
+            - name: ARGOCD_APPLICATION_NAMESPACES
+              valueFrom:
+                configMapKeyRef:
+                  name: argocd-cmd-params-cm
+                  key: application.namespaces
+                  optional: true
+            - name: ACR_CONTROLLER_LOGFORMAT
+              valueFrom:
+                configMapKeyRef:
+                  name: argocd-cmd-params-cm
+                  key: acr.log.format
+                  optional: true
+            - name: ACR_CONTROLLER_LOG_LEVEL
+              valueFrom:
+                configMapKeyRef:
+                  name: argocd-cmd-params-cm
+                  key: acr.log.level
+                  optional: true
+            - name: ACR_CONTROLLER_LISTEN_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  name: argocd-cmd-params-cm
+                  key: acr.listen.address
+                  optional: true
+        {{- with .Values.acrController.envFrom }}
+        envFrom:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        ports:
+          - name: health
+            containerPort: {{ .Values.acrController.containerPorts.health }}
+            protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /healthz?full=true
+            port: health
+          initialDelaySeconds: 3
+          periodSeconds: 30
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: health
+          initialDelaySeconds: {{ .Values.acrController.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.acrController.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.acrController.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.acrController.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.acrController.readinessProbe.failureThreshold }}
+        resources:
+          {{- toYaml .Values.acrController.resources | nindent 12 }}
+        {{- with .Values.acrController.containerSecurityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      {{- with .Values.acrController.extraContainers }}
+        {{- tpl (toYaml .) $ | nindent 6 }}
+      {{- end }}
+      {{- with .Values.acrController.initContainers }}
+      initContainers:
+        {{- tpl (toYaml .) $ | nindent 6 }}
+      {{- end }}
+      {{- with include "argo-cd.affinity" (dict "context" . "component" .Values.acrController) }}
+      affinity:
+        {{- trim . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.acrController.nodeSelector | default .Values.global.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.acrController.tolerations | default .Values.global.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.acrController.topologySpreadConstraints | default .Values.global.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- range $constraint := . }}
+      - {{ toYaml $constraint | nindent 8 | trim }}
+          {{- if not $constraint.labelSelector }}
+        labelSelector:
+          matchLabels:
+            {{- include "argo-cd.selectorLabels" (dict "context" $ "name" $.Values.acrController.name) | nindent 12 }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+      {{- if .Values.acrController.hostNetwork }}
+      hostNetwork: {{ .Values.acrController.hostNetwork }}
+      {{- end }}
+      {{- with .Values.acrController.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      dnsPolicy: {{ .Values.acrController.dnsPolicy }}
+{{- end }}

charts/argo-cd/templates/acr-controller/role.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.acrController.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "argo-cd.acr-controller.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applications
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+      - update
+{{- end }}

charts/argo-cd/templates/acr-controller/rolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.acrController.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "argo-cd.acr-controller.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "argo-cd.acr-controller.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "argo-cd.acrControllerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}

charts/argo-cd/templates/acr-controller/serviceaccount.yaml

@@ -0,0 +1,19 @@
+{{- if and .Values.acrController.enabled .Values.acrController.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.acrController.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ template "argo-cd.acrControllerServiceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- if .Values.acrController.serviceAccount.annotations }}
+  annotations:
+  {{- range $key, $value := .Values.acrController.serviceAccount.annotations }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+{{- end }}
+  labels:
+    {{- include "argo-cd.labels" (dict "context" . "component" .Values.acrController.name "name" .Values.acrController.name) | nindent 4 }}
+  {{- range $key, $value := .Values.acrController.serviceAccount.labels }}
+    {{ $key }}: {{ $value | quote }}
+  {{- end }}
+{{- end }}

charts/argo-cd/templates/crds/crd-application.yaml

@@ -125,6 +125,12 @@ spec:
               sync:
                 description: Sync contains parameters for the operation
                 properties:
+                  changeRevision:
+                    type: string
+                  changeRevisions:
+                    items:
+                      type: string
+                    type: array
                   dryRun:
                     description: DryRun specifies to perform a `kubectl apply --dry-run`
                       without actually performing the sync
@@ -2547,6 +2553,12 @@ spec:
                       sync:
                         description: Sync contains parameters for the operation
                         properties:
+                          changeRevision:
+                            type: string
+                          changeRevisions:
+                            items:
+                              type: string
+                            type: array
                           dryRun:
                             description: DryRun specifies to perform a `kubectl apply
                               --dry-run` without actually performing the sync