feat(argo-cd): Add global domain configuration (#2499)

Signed-off-by: Petr Drastil <petr.drastil@gmail.com>

charts/argo-cd/Chart.yaml

@@ -3,7 +3,7 @@ appVersion: v2.10.1
 kubeVersion: ">=1.23.0-0"
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes.
 name: argo-cd
-version: 6.0.14
+version: 6.1.0
 home: https://github.com/argoproj/argo-helm
 icon: https://argo-cd.readthedocs.io/en/stable/assets/logo.png
 sources:
@@ -26,5 +26,5 @@ annotations:
  fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
  url: https://argoproj.github.io/argo-helm/pgp_keys.asc
  artifacthub.io/changes: |
- - kind: changed
- description: Bump argo-cd to v2.10.1
+ - kind: added
+ description: Configuration option global.domain that is tied to all components

charts/argo-cd/README.md

@@ -74,14 +74,15 @@ below corespond to their respective sections.
 The `tls: true` option will expect that the `argocd-server-tls` secret exists as Argo CD server loads TLS certificates from this place.
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 certificate:
  enabled: true
- domain: argocd.example.com
 
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  ingressClassName: nginx
  annotations:
  nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
@@ -92,14 +93,16 @@ server:
 ### SSL Termination at Ingress Controller
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 configs:
  params:
  server.insecure: true
 
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  ingressClassName: nginx
  annotations:
  nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
@@ -119,14 +122,16 @@ server:
 Use `ingressGrpc` section if your ingress controller supports only a single protocol per Ingress resource (i.e.: Contour).
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 configs:
  params:
  server.insecure: true
 
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  ingressClassName: contour-internal
  extraTls:
  - hosts:
@@ -135,7 +140,6 @@ server:
 
  ingressGrpc:
  enabled: true
- hostname: grpc.argocd.example.com
  ingressClassName: contour-internal
  extraTls:
  - hosts:
@@ -146,10 +150,12 @@ server:
 ### Multiple ingress domains
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  ingressClassName: nginx
  annotations:
  cert-manager.io/cluster-issuer: "<my-issuer>"
@@ -169,22 +175,24 @@ The provided example assumes you are using TLS off-loading via AWS ACM service.
 > Using `controller: aws` creates additional service for gRPC traffic and it's no longer need to use `ingressGrpc` configuration section.
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 configs:
  params:
  server.insecure: true
 
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  controller: aws
  ingressClassName: alb
  annotations:
  alb.ingress.kubernetes.io/scheme: internal
  alb.ingress.kubernetes.io/target-type: ip
  alb.ingress.kubernetes.io/backend-protocol: HTTP
  alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":80}, {"HTTPS":443}]'
- alb.ingress.kubernetes.io/ssl-redirect" '443'
+ alb.ingress.kubernetes.io/ssl-redirect: '443'
  aws:
  serviceType: ClusterIP # <- Used with target-type: ip
  backendProtocolVersion: GRPC
@@ -196,6 +204,9 @@ The implementation will populate `ingressClassName`, `networking.gke.io/managed-
 automatically if you provide configuration for GKE resources.
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 configs:
  params:
  server.insecure: true
@@ -208,7 +219,6 @@ server:
 
  ingress:
  enabled: true
- hostname: argocd.example.com
  controller: gke
  gke:
  backendConfig:
@@ -268,6 +278,10 @@ For full list of changes please check ArtifactHub [changelog].
 
 Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
 
+### 6.1.0
+
+Added support for global domain used by all components.
+
 ### 6.0.0
 
 This version **removes support for**:
@@ -610,6 +624,7 @@ NAME: my-release
 | global.certificateAnnotations | object | `{}` | Annotations for the all deployed Certificates |
 | global.deploymentAnnotations | object | `{}` | Annotations for the all deployed Deployments |
 | global.deploymentStrategy | object | `{}` | Deployment strategy for the all deployed Deployments |
+| global.domain | string | `"argocd.example.com"` | Default domain used by all components |
 | global.env | list | `[]` | Environment variables to pass to all deployed Deployments |
 | global.hostAliases | list | `[]` | Mapping between IP and hostnames that will be injected as entries in the pod's hosts files |
 | global.image.imagePullPolicy | string | `"IfNotPresent"` | If defined, a imagePullPolicy applied to all Argo CD deployments |
@@ -643,7 +658,6 @@ NAME: my-release
 | configs.cm."timeout.reconciliation" | string | `"180s"` | Timeout to discover if a new manifests version got published to the repository |
 | configs.cm.annotations | object | `{}` | Annotations to be added to argocd-cm configmap |
 | configs.cm.create | bool | `true` | Create the argocd-cm configmap for [declarative setup] |
-| configs.cm.url | string | `""` | Argo CD's externally facing base URL (optional). Required when configuring SSO |
 | configs.cmp.annotations | object | `{}` | Annotations to be added to argocd-cmp-cm configmap |
 | configs.cmp.create | bool | `false` | Create the argocd-cmp-cm configmap |
 | configs.cmp.plugins | object | `{}` | Plugin yaml files to be added to argocd-cmp-cm |
@@ -884,7 +898,7 @@ NAME: my-release
 | server.autoscaling.targetMemoryUtilizationPercentage | int | `50` | Average memory utilization percentage for the Argo CD server [HPA] |
 | server.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
 | server.certificate.annotations | object | `{}` | Annotations to be applied to the Server Certificate |
-| server.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) |
+| server.certificate.domain | string | `""` (defaults to global.domain) | Certificate primary domain (commonName) |
 | server.certificate.duration | string | `""` (defaults to 2160h = 90d if not specified) | The requested 'duration' (i.e. lifetime) of the certificate. |
 | server.certificate.enabled | bool | `false` | Deploy a Certificate resource (requires cert-manager) |
 | server.certificate.issuer.group | string | `""` | Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` |
@@ -938,7 +952,7 @@ NAME: my-release
 | server.ingress.gke.frontendConfig | object | `{}` (See [values.yaml]) | Google [FrontendConfig] resource, for use with the GKE Ingress Controller |
 | server.ingress.gke.managedCertificate.create | bool | `true` | Create ManagedCertificate resource and annotations for Google Load balancer |
 | server.ingress.gke.managedCertificate.extraDomains | list | `[]` | Additional domains for ManagedCertificate resource |
-| server.ingress.hostname | string | `"argocd.example.com"` | Argo CD server hostname |
+| server.ingress.hostname | string | `""` (defaults to global.domain) | Argo CD server hostname |
 | server.ingress.ingressClassName | string | `""` | Defines which ingress controller will implement the resource |
 | server.ingress.labels | object | `{}` | Additional ingress labels |
 | server.ingress.path | string | `"/"` | The path to Argo CD server |
@@ -1272,7 +1286,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | applicationSet.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
 | applicationSet.certificate.additionalHosts | list | `[]` | Certificate Subject Alternate Names (SANs) |
 | applicationSet.certificate.annotations | object | `{}` | Annotations to be applied to the ApplicationSet Certificate |
-| applicationSet.certificate.domain | string | `"argocd.example.com"` | Certificate primary domain (commonName) |
+| applicationSet.certificate.domain | string | `""` (defaults to global.domain) | Certificate primary domain (commonName) |
 | applicationSet.certificate.duration | string | `""` (defaults to 2160h = 90d if not specified) | The requested 'duration' (i.e. lifetime) of the certificate. |
 | applicationSet.certificate.enabled | bool | `false` | Deploy a Certificate resource (requires cert-manager) |
 | applicationSet.certificate.issuer.group | string | `""` | Certificate issuer group. Set if using an external issuer. Eg. `cert-manager.io` |
@@ -1309,7 +1323,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | applicationSet.ingress.extraPaths | list | `[]` (See [values.yaml]) | Additional ingress paths |
 | applicationSet.ingress.extraRules | list | `[]` (See [values.yaml]) | Additional ingress rules |
 | applicationSet.ingress.extraTls | list | `[]` (See [values.yaml]) | Additional ingress TLS configuration |
-| applicationSet.ingress.hostname | string | `"argocd.example.com"` | Argo CD ApplicationSet hostname |
+| applicationSet.ingress.hostname | string | `""` (defaults to global.domain) | Argo CD ApplicationSet hostname |
 | applicationSet.ingress.ingressClassName | string | `""` | Defines which ingress ApplicationSet controller will implement the resource |
 | applicationSet.ingress.labels | object | `{}` | Additional ingress labels |
 | applicationSet.ingress.path | string | `"/api/webhook"` | List of ingress paths |
@@ -1377,7 +1391,7 @@ If you want to use an existing Redis (eg. a managed service from a cloud provide
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | notifications.affinity | object | `{}` (defaults to global.affinity preset) | Assign custom [affinity] rules |
-| notifications.argocdUrl | string | `nil` | Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates |
+| notifications.argocdUrl | string | `""` (defaults to https://`global.domain`) | Argo CD dashboard url; used in place of {{.context.argocdUrl}} in templates |
 | notifications.clusterRoleRules.rules | list | `[]` | List of custom rules for the notifications controller's ClusterRole resource |
 | notifications.cm.create | bool | `true` | Whether helm chart creates notifications controller config map |
 | notifications.containerPorts.metrics | int | `9001` | Metrics container port |

charts/argo-cd/README.md.gotmpl

@@ -73,14 +73,15 @@ below corespond to their respective sections.
 The `tls: true` option will expect that the `argocd-server-tls` secret exists as Argo CD server loads TLS certificates from this place.
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 certificate:
  enabled: true
- domain: argocd.example.com
 
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  ingressClassName: nginx
  annotations:
  nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
@@ -91,14 +92,16 @@ server:
 ### SSL Termination at Ingress Controller
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 configs:
  params:
  server.insecure: true
 
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  ingressClassName: nginx
  annotations:
  nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
@@ -118,14 +121,16 @@ server:
 Use `ingressGrpc` section if your ingress controller supports only a single protocol per Ingress resource (i.e.: Contour).
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 configs:
  params:
  server.insecure: true
 
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  ingressClassName: contour-internal
  extraTls:
  - hosts:
@@ -134,7 +139,6 @@ server:
 
  ingressGrpc:
  enabled: true
- hostname: grpc.argocd.example.com
  ingressClassName: contour-internal
  extraTls:
  - hosts:
@@ -145,10 +149,12 @@ server:
 ### Multiple ingress domains
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  ingressClassName: nginx
  annotations:
  cert-manager.io/cluster-issuer: "<my-issuer>"
@@ -168,22 +174,24 @@ The provided example assumes you are using TLS off-loading via AWS ACM service.
 > Using `controller: aws` creates additional service for gRPC traffic and it's no longer need to use `ingressGrpc` configuration section.
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 configs:
  params:
  server.insecure: true
 
 server:
  ingress:
  enabled: true
- hostname: argocd.example.com
  controller: aws
  ingressClassName: alb
  annotations:
  alb.ingress.kubernetes.io/scheme: internal
  alb.ingress.kubernetes.io/target-type: ip
  alb.ingress.kubernetes.io/backend-protocol: HTTP
  alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":80}, {"HTTPS":443}]'
- alb.ingress.kubernetes.io/ssl-redirect" '443'
+ alb.ingress.kubernetes.io/ssl-redirect: '443'
  aws:
  serviceType: ClusterIP # <- Used with target-type: ip
  backendProtocolVersion: GRPC
@@ -195,6 +203,9 @@ The implementation will populate `ingressClassName`, `networking.gke.io/managed-
 automatically if you provide configuration for GKE resources.
 
 ```yaml
+global:
+ domain: argocd.example.com
+
 configs:
  params:
  server.insecure: true
@@ -207,7 +218,6 @@ server:
 
  ingress:
  enabled: true
- hostname: argocd.example.com
  controller: gke
  gke:
  backendConfig:
@@ -268,6 +278,10 @@ For full list of changes please check ArtifactHub [changelog].
 
 Highlighted versions provide information about additional steps that should be performed by user when upgrading to newer version.
 
+### 6.1.0
+
+Added support for global domain used by all components.
+
 ### 6.0.0
 
 This version **removes support for**:

charts/argo-cd/templates/_helpers.tpl

@@ -163,6 +163,7 @@ Argo Configuration Preset Values (Incluenced by Values configuration)
 */}}
 {{- define "argo-cd.config.cm.presets" -}}
 {{- $presets := dict -}}
+{{- $_ := set $presets "url" (printf "https://%s" .Values.global.domain) -}}
 {{- if .Values.configs.styles -}}
 {{- $_ := set $presets "ui.cssurl" "./custom/custom.styles.css" -}}
 {{- end -}}

charts/argo-cd/templates/argocd-applicationset/certificate.yaml

@@ -14,9 +14,9 @@ metadata:
  {{- include "argo-cd.labels" (dict "context" . "component" .Values.applicationSet.name "name" .Values.applicationSet.name) | nindent 4 }}
 spec:
  secretName: {{ .Values.applicationSet.certificate.secretName }}
- commonName: {{ .Values.applicationSet.certificate.domain | quote }}
+ commonName: {{ .Values.applicationSet.certificate.domain | default .Values.global.domain }}
  dnsNames:
- - {{ .Values.applicationSet.certificate.domain | quote }}
+ - {{ .Values.applicationSet.certificate.domain | default .Values.global.domain }}
  {{- range .Values.applicationSet.certificate.additionalHosts }}
  - {{ . | quote }}
  {{- end }}

charts/argo-cd/templates/argocd-applicationset/ingress.yaml

@@ -20,8 +20,7 @@ spec:
  ingressClassName: {{ . }}
  {{- end }}
  rules:
- {{- if .Values.applicationSet.ingress.hostname }}
- - host: {{ .Values.applicationSet.ingress.hostname }}
+ - host: {{ .Values.applicationSet.ingress.hostname | default .Values.global.domain }}
  http:
  paths:
  {{- with .Values.applicationSet.ingress.extraPaths }}
@@ -34,7 +33,6 @@ spec:
  name: {{ include "argo-cd.applicationSet.fullname" . }}
  port:
  number: {{ .Values.applicationSet.service.port }}
- {{- end }}
  {{- range .Values.applicationSet.ingress.extraHosts }}
  - host: {{ .name | quote }}
  http:

charts/argo-cd/templates/argocd-configs/argocd-notifications-cm.yaml

@@ -8,7 +8,7 @@ metadata:
  {{- include "argo-cd.labels" (dict "context" . "component" .Values.notifications.name "name" .Values.notifications.name) | nindent 4 }}
 data:
  context: |
- argocdUrl: {{ .Values.notifications.argocdUrl | quote }}
+ argocdUrl: {{ .Values.notifications.argocdUrl | default (printf "https://%s" .Values.global.domain) }}
  {{- with .Values.notifications.context }}
  {{- toYaml . | nindent 4 }}
  {{- end }}