codefresh-io · mikhail-klimko · Aug 25, 2025 · Aug 25, 2025 · Aug 25, 2025 · Aug 25, 2025
@@ -32,6 +32,7 @@ dependencies:
 - name: sealed-secrets
   repository: https://bitnami-labs.github.io/sealed-secrets/
   version: 2.17.2
+  condition: sealed-secrets.enabled
 - name: codefresh-tunnel-client
   repository: oci://quay.io/codefresh/charts
   version: 0.1.21

@@ -15,6 +15,68 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/)
 ## Codefresh official documentation:
 Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/
 
+## Multi Runtime Installation
+You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace.
+To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below:
+```yaml
+global:
+  runtime:
+    singleNamespace: true
+sealed-secrets:
+  enabled: false
+argo-cd:
+  createClusterRoles: false
+  crds:
+    install: false
+  configs:
+    params:
+      application.namespaces: ''
+argo-events:
+  controller:
+    rbac:
+      namespaced: true
+argo-workflows:
+  crds:
+    install: false
+  singleNamespace: true
+  createAggregateRoles: false
+  controller:
+    clusterWorkflowTemplates:
+      enabled: false
+  server:
+    clusterWorkflowTemplates:
+      enabled: false
+argo-rollouts:
+  enabled: false
+tunnel-client:
+  enabled: false
+gitops-operator:
+  crds:
+    install: false
+```
+
+Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values:
+```yaml
+global:
+  runtime:
+    isConfigurationRuntime: true
+argo-cd:
+  crds:
+    install: true
+argo-workflows:
+  crds:
+    install: true
+argo-rollouts:
+  installCRDs: true
+gitops-operator:
+  crds:
+    install: true
+```
+
+> [!WARNING]
+> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`.
+> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported.
+
 ## Argo-workflows artifact and log storage
 Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration.
 If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values:
@@ -395,14 +457,14 @@ gitops-operator:
 | app-proxy.image-enrichment.serviceAccount.name | string | `"codefresh-image-enrichment-sa"` | Name of the service account to create or the name of the existing one to use |
 | app-proxy.image.pullPolicy | string | `"IfNotPresent"` |  |
 | app-proxy.image.repository | string | `"quay.io/codefresh/cap-app-proxy"` |  |
-| app-proxy.image.tag | string | `"1.3706.0"` |  |
+| app-proxy.image.tag | string | `"1.3718.0"` |  |
 | app-proxy.imagePullSecrets | list | `[]` |  |
 | app-proxy.initContainer.command[0] | string | `"./init.sh"` |  |
 | app-proxy.initContainer.env | object | `{}` |  |
 | app-proxy.initContainer.extraVolumeMounts | list | `[]` | Extra volume mounts for init container |
 | app-proxy.initContainer.image.pullPolicy | string | `"IfNotPresent"` |  |
 | app-proxy.initContainer.image.repository | string | `"quay.io/codefresh/cap-app-proxy-init"` |  |
-| app-proxy.initContainer.image.tag | string | `"1.3706.0"` |  |
+| app-proxy.initContainer.image.tag | string | `"1.3718.0"` |  |
 | app-proxy.initContainer.resources.limits | object | `{}` |  |
 | app-proxy.initContainer.resources.requests.cpu | string | `"0.2"` |  |
 | app-proxy.initContainer.resources.requests.memory | string | `"256Mi"` |  |
@@ -549,6 +611,7 @@ gitops-operator:
 | event-reporters.workflow.sensor.tolerations | list | `[]` |  |
 | event-reporters.workflow.serviceAccount.create | bool | `true` |  |
 | gitops-operator.affinity | object | `{}` |  |
+| gitops-operator.config | object | `{"commitStatusPollingInterval":"10s","maxConcurrentReleases":100,"promotionWrapperTemplate":"","taskPollingInterval":"10s","workflowMonitorPollingInterval":"10s"}` | GitOps operator configuration |
 | gitops-operator.config.commitStatusPollingInterval | string | `"10s"` | Commit status polling interval |
 | gitops-operator.config.maxConcurrentReleases | int | `100` | Maximum number of concurrent releases being processed by the operator (this will not affect the number of releases being processed by the gitops runtime) |
 | gitops-operator.config.promotionWrapperTemplate | string | `""` | An optional template for the promotion wrapper (empty default will use the embedded one) |
@@ -561,9 +624,7 @@ gitops-operator:
 | gitops-operator.crds.keep | bool | `false` | Keep CRDs if gitops runtime release is uninstalled |
 | gitops-operator.enabled | bool | `true` |  |
 | gitops-operator.fullnameOverride | string | `""` |  |
-| gitops-operator.image.registry | string | `"quay.io"` | defaults |
-| gitops-operator.image.repository | string | `"codefresh/codefresh-gitops-operator"` |  |
-| gitops-operator.image.tag | string | `"v0.11.1"` |  |
+| gitops-operator.image | object | `{"registry":"quay.io","repository":"codefresh/codefresh-gitops-operator","tag":"v0.11.1"}` | GitOps operator image |
 | gitops-operator.imagePullSecrets | list | `[]` |  |
 | gitops-operator.nameOverride | string | `""` |  |
 | gitops-operator.nodeSelector | object | `{}` |  |
@@ -616,7 +677,7 @@ gitops-operator:
 | global.httpsProxy | string | `""` | global HTTPS_PROXY for all components |
 | global.noProxy | string | `""` | global NO_PROXY for all components |
 | global.nodeSelector | object | `{}` | Global nodeSelector for all components |
-| global.runtime | object | `{"cluster":"https://kubernetes.default.svc","codefreshHosted":false,"eventBus":{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"},"gitCredentials":{"password":{"secretKeyRef":{},"value":null},"username":"username"},"ingress":{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]},"ingressUrl":"","isConfigurationRuntime":false,"name":null}` | Runtime level settings |
+| global.runtime | object | `{"cluster":"https://kubernetes.default.svc","codefreshHosted":false,"eventBus":{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"},"gitCredentials":{"password":{"secretKeyRef":{},"value":null},"username":"username"},"ingress":{"annotations":{},"className":"nginx","enabled":false,"hosts":[],"labels":{},"protocol":"https","skipValidation":false,"tls":[]},"ingressUrl":"","isConfigurationRuntime":false,"name":null,"singleNamespace":false}` | Runtime level settings |
 | global.runtime.cluster | string | `"https://kubernetes.default.svc"` | Runtime cluster. Should not be changed. |
 | global.runtime.codefreshHosted | bool | `false` | Defines whether this is a Codefresh hosted runtime. Should not be changed. |
 | global.runtime.eventBus | object | `{"annotations":{},"jetstream":{"affinity":{},"containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[],"version":"latest"},"name":"","nats":{"native":{"affinity":{},"auth":"token","containerTemplate":{"resources":{"limits":{"cpu":"500m","ephemeral-storage":"2Gi","memory":"4Gi"},"requests":{"cpu":"200m","ephemeral-storage":"2Gi","memory":"1Gi"}}},"maxPayload":"4MB","metadata":{"labels":{"app.kubernetes.io/name":"codefresh-eventbus"}},"nodeSelector":{},"replicas":3,"tolerations":[]}},"pdb":{"enabled":true,"minAvailable":2},"type":"nats"}` | Runtime eventbus |
@@ -637,6 +698,7 @@ gitops-operator:
 | global.runtime.ingressUrl | string | `""` | Explicit url for runtime ingress. Provide this value only if you don't want the chart to create and ingress (global.runtime.ingress.enabled=false) and tunnel-client is not used (tunnel-client.enabled=false) |
 | global.runtime.isConfigurationRuntime | bool | `false` | is the runtime set as a "configuration runtime". |
 | global.runtime.name | string | `nil` | Runtime name. Must be unique per platform account. |
+| global.runtime.singleNamespace | bool | `false` | Runtime single namespace mode. When true, runtime operates in single namespace scope. |
 | global.tolerations | list | `[]` | Global tolerations for all components |
 | installer | object | `{"affinity":{},"argoCdVersionCheck":{"argoServerLabels":{"app.kubernetes.io/component":"server","app.kubernetes.io/part-of":"argocd"}},"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/codefresh/gitops-runtime-installer","tag":""},"nodeSelector":{},"skipUsageValidation":false,"skipValidation":false,"tolerations":[]}` | Runtime installer used for running hooks and checks on the release |
 | installer.skipUsageValidation | bool | `false` | if set to true, pre-install hook will *not* run |
@@ -649,7 +711,7 @@ gitops-operator:
 | internal-router.fullnameOverride | string | `"internal-router"` |  |
 | internal-router.image.pullPolicy | string | `"IfNotPresent"` |  |
 | internal-router.image.repository | string | `"docker.io/nginxinc/nginx-unprivileged"` |  |
-| internal-router.image.tag | string | `"1.28-alpine3.21"` |  |
+| internal-router.image.tag | string | `"1.29-alpine3.22"` |  |
 | internal-router.imagePullSecrets | list | `[]` |  |
 | internal-router.ipv6 | object | `{"enabled":false}` | For ipv6 enabled clusters switch ipv6 enabled to true |
 | internal-router.nameOverride | string | `""` |  |

@@ -15,6 +15,69 @@ See [Use OCI-based registries](https://helm.sh/docs/topics/registries/)
 ## Codefresh official documentation:
 Prior to running the installation please see the official documentation at: https://codefresh.io/docs/docs/installation/gitops/hybrid-gitops-helm-installation/
 
+## Multi Runtime Installation
+You can install multiple Codefresh GitOps Runtimes in the same cluster, as long as each Runtime is deployed in its own namespace and manages only the applications in that namespace.
+To achieve this, configure your Runtimes to run in namespaced mode by setting `global.runtime.singleNamespace=true`. See the values.yaml example below:
+```yaml
+global:
+  runtime:
+    singleNamespace: true
+sealed-secrets:
+  enabled: false
+argo-cd:
+  createClusterRoles: false
+  crds:
+    install: false
+  configs:
+    params:
+      application.namespaces: ''
+argo-events:
+  controller:
+    rbac:
+      namespaced: true
+argo-workflows:
+  crds:
+    install: false
+  singleNamespace: true
+  createAggregateRoles: false
+  controller:
+    clusterWorkflowTemplates:
+      enabled: false
+  server:
+    clusterWorkflowTemplates:
+      enabled: false
+argo-rollouts:
+  enabled: false
+tunnel-client:
+  enabled: false
+gitops-operator:
+  crds:
+    install: false
+```
+
+Note that for the first runtime in the cluster, you have to configure it to install the CRDs, with setting these values:
+```yaml
+global:
+  runtime:
+    isConfigurationRuntime: true
+argo-cd:
+  crds:
+    install: true
+argo-workflows:
+  crds:
+    install: true
+argo-rollouts:
+  installCRDs: true
+gitops-operator:
+  crds:
+    install: true
+```
+
+> [!WARNING]
+> If you want more than one runtime in your cluster, make sure that all of the runtimes in your cluster are configured with `global.runtime.singleNamespace=true`.
+> If you already have a runtime installed in the cluster without this setting, multi runtime installation is not supported.
+
+
 ## Argo-workflows artifact and log storage
 Codefresh provides a SaaS object storage based solution for Argo workflows logs storage. The chart deploys a configmap named `codefresh-workflows-log-store` with the repository configuration.
 If you want to utilize the Codefresh SaaS solution for log storage for all workflows in the runtime please set the following values:

@@ -10,4 +10,5 @@
   {{ include "cap-app-proxy.resources.service" . }}
 ---
   {{ include "cap-app-proxy.resources.sa" .}}
-{{- end }}
+---
+{{- end }}
@@ -4,13 +4,14 @@ argoCdUsername: {{ .Values.config.argoCdUsername }}
 argoWorkflowsInsecure: {{ .Values.config.argoWorkflowsInsecure | quote }}
 argoWorkflowsUrl: {{ default "" .Values.config.argoWorkflowsUrl }}
 cors: {{ .Values.global.codefresh.url }}
-  {{- with .Values.config.clusterChunkSize }} 
+  {{- with .Values.config.clusterChunkSize }}
 clusterChunkSize: {{ . | quote }}
   {{- end }}
 env: {{ .Values.config.env | quote}}
 isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }}
 isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }}
 runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}}
+runtimeSingleNamespace: {{ .Values.global.runtime.singleNamespace | quote }}
 skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }}
 logLevel: {{ .Values.config.logLevel | quote }}
   {{- $enrichmentValues := get .Values "image-enrichment" }}

@@ -0,0 +1,11 @@
+{{- define "argo-cd.namespaced-rbac.all" }}
+{{- if (index .Values "global" "runtime").singleNamespace }}
+{{- include "argo-cd.namespaced-rbac.serviceaccount" . }}
+---
+{{- include "argo-cd.namespaced-rbac.secret" . }}
+---
+{{- include "argo-cd.namespaced-rbac.role" . }}
+---
+{{- include "argo-cd.namespaced-rbac.rolebinding" . }}
+{{- end }}
+{{- end }}
@@ -0,0 +1,17 @@
+{{- define "argo-cd.namespaced-rbac.role" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-namespaced-role
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }}
+    codefresh.io/component: argocd-namespaced-rbac
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+{{- end }}
@@ -0,0 +1,18 @@
+{{- define "argo-cd.namespaced-rbac.rolebinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-namespaced-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }}
+    codefresh.io/component: argocd-namespaced-rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-namespaced-role
+subjects:
+- kind: ServiceAccount
+  name: argocd-manager
+  namespace: {{ .Release.Namespace }}
+{{- end }} 
@@ -0,0 +1,9 @@
+{{- define "argo-cd.namespaced-rbac.secret" }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-manager-long-lived-token
+  annotations:
+    kubernetes.io/service-account.name: argocd-manager
+type: kubernetes.io/service-account-token
+{{- end }}
@@ -0,0 +1,10 @@
+{{- define "argo-cd.namespaced-rbac.serviceaccount" }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-manager
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }}
+    codefresh.io/component: argocd-namespaced-rbac
+{{- end }}
@@ -109,6 +109,12 @@ RUNTIME_NAME:
     configMapKeyRef:
       name: cap-app-proxy-cm
       key: runtimeName
+RUNTIME_SINGLE_NAMESPACE:
+  valueFrom:
+    configMapKeyRef:
+      name: cap-app-proxy-cm
+      key: runtimeSingleNamespace
+      optional: true
 RUNTIME_TOKEN:
   valueFrom:
     secretKeyRef:
@@ -210,6 +216,7 @@ IRW_JIRA_ENRICHMENT_TASK_IMAGE:
       name: cap-app-proxy-cm
       key: enrichmentJiraEnrichmentImage
       optional: true
+
 NODE_EXTRA_CA_CERTS: /app/config/all/all.cer
 {{- if gt (int .Values.replicaCount) 1 }}
 LEADER_ID:

@@ -11,6 +11,19 @@
 {{/* Workaround to NOT change label selectors from previous runtime release when event-reporter was part of cf-argocd-extras Subchart */}}
 {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }}
 
+{{/* Remove nonResourceURLs when RBAC is namespaced */}}
+{{- $rules := $context.Values.rbac.rules }}
+{{- $_ := set $context.Values.rbac "namespaced" (get .Values.global.runtime "singleNamespace") }}
+{{- if $context.Values.rbac.namespaced }}
+    {{- $rules = list }}
+        {{- range $context.Values.rbac.rules }}
+            {{- if not .nonResourceURLs }}
+                {{- $rules = append $rules . }}
+            {{- end }}
+    {{- end }}
+{{- end }}
+{{- $_ := set $context.Values.rbac "rules" $rules }}
+
 {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }}
 {{- include $templateName $context }}
 

@@ -10,6 +10,7 @@
 
 {{/* Workaround to NOT change label selectors from previous runtime release when sources-server was part of cf-argocd-extras Subchart */}}
 {{- $_ := set $context.Values "nameOverride" "cf-argocd-extras" }}
+{{- $_ := set $context.Values.rbac "namespaced" (get .Values.global.runtime "singleNamespace") }}
 
 {{- $templateName := printf "cf-common-%s.rbac" (index .Subcharts "cf-common").Chart.Version }}
 {{- include $templateName $context }}

@@ -14,6 +14,9 @@ global:
 
 replicaCount: 1
 
+# -- Restrict the gitops operator to a single namespace (by the namespace of Helm release)
+singleNamespace: false
+
 # -- Codefresh gitops operator crds
 crds:
   # -- Whether or not to install CRDs

@@ -15,6 +15,7 @@ COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }}
 WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }}
 MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }}
 PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }}
+RUNTIME_SINGLE_NAMESPACE: {{ .Values.global.runtime.singleNamespace }}
 {{- end }}
 
 {{- define "gitops-operator.resources.environment-variables.defaults" -}}
@@ -36,7 +37,7 @@ NAMESPACE:
   valueFrom:
     fieldRef:
       fieldPath: metadata.namespace
-RUNTIME_VERSION: 
+RUNTIME_VERSION:
   valueFrom:
     configMapKeyRef:
       name: codefresh-cm

@@ -14,7 +14,9 @@
 ---
   {{- include "gitops-operator.crds.product" $context }}
 ---
+  {{- if not (get .Values.global "runtime").singleNamespace }}
   {{- include "gitops-operator.crds.restricted-gitsource" $context }}
+  {{- end }}
 ---
   {{- include "gitops-operator.crds.promotion-policy" $context }}
 {{- end }}