Merge remote-tracking branch 'origin/main' into ci-update-cert-manager-to-v1.17.2

Author: svcAPLBot

apps.yaml

@@ -13,7 +13,7 @@ appsInfo:
     integration: Alertmanager can be activated to send alerts to configured receivers. It is configured by APL to use the global values found under settings/alerts. A team can override global settings to send alerts to their own endpoints.
   argocd:
     title: Argo CD
-    appVersion: 2.10.4
+    appVersion: 3.0.3
     repo: https://github.com/argoproj/argo-helm
     maintainers: Argo Project
     relatedLinks:

chart/chart-index/Chart.yaml

@@ -6,7 +6,7 @@ version: 0.1.0
 dependencies:
   - name: argo-cd
     alias: argocd
-    version: 6.7.3
+    version: 8.0.9
     repository: https://argoproj.github.io/argo-helm
   - name: cert-manager
     version: v1.17.2

charts/argocd/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: redis-ha
   repository: https://dandydeveloper.github.io/charts/
-  version: 4.26.1
-digest: sha256:d72c308ab0eef4233e25bfc3f8fc97cf9b02a9c5d0186ea89e2f8fb332cb9c41
-generated: "2024-02-18T19:42:53.135599+02:00"
+  version: 4.33.2
+digest: sha256:1ce334c23fe53427c771277cc7cecd4143226aba04c8a6c52513042a96e7ff5d
+generated: "2025-03-27T09:46:27.113833-07:00"

charts/argocd/Chart.yaml

@@ -1,17 +1,17 @@
 annotations:
   artifacthub.io/changes: |
     - kind: changed
-      description: Bump argo-cd to v2.10.4
+      description: Bump dex to v2.43.1
   artifacthub.io/signKey: |
     fingerprint: 2B8F22F57260EFA67BE1C5824B11F800CD9D2252
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
 apiVersion: v2
-appVersion: v2.10.4
+appVersion: v3.0.3
 dependencies:
 - condition: redis-ha.enabled
   name: redis-ha
   repository: https://dandydeveloper.github.io/charts/
-  version: 4.26.1
+  version: 4.33.2
 description: A Helm chart for Argo CD, a declarative, GitOps continuous delivery tool
   for Kubernetes.
 home: https://github.com/argoproj/argo-helm
@@ -20,12 +20,12 @@ keywords:
 - argoproj
 - argocd
 - gitops
-kubeVersion: '>=1.23.0-0'
+kubeVersion: '>=1.25.0-0'
 maintainers:
 - name: argoproj
   url: https://argoproj.github.io/
 name: argo-cd
 sources:
 - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
 - https://github.com/argoproj/argo-cd
-version: 6.7.3
+version: 8.0.9

charts/argocd/README.md

@@ -0,0 +1,25 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+ci/
+*.gotmpl

charts/argocd/charts/redis-ha/.helmignore

@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: 7.2.4
+appVersion: 7.2.7
 description: This Helm chart provides a highly available Redis implementation with
   a master/slave configuration and uses Sentinel sidecars for failover management
 home: http://redis.io/
@@ -9,13 +9,11 @@ keywords:
 - keyvalue
 - database
 maintainers:
-- email: [email protected]
-  name: ssalaues
 - email: [email protected]
   name: dandydeveloper
 name: redis-ha
 sources:
 - https://redis.io/download
 - https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha
 - https://github.com/oliver006/redis_exporter
-version: 4.26.1
+version: 4.33.2

charts/argocd/charts/redis-ha/Chart.yaml

@@ -27,7 +27,13 @@
     {{- end }}
     {{- end }}
     {{- range $key, $value := .Values.redis.config }}
+    {{- if kindIs "slice" $value }}
+        {{- range $value }}
+    {{ $key }} {{ . }}
+        {{- end }}
+        {{- else }}
     {{ $key }} {{ $value }}
+        {{- end }}
     {{- end }}
 {{- if .Values.auth }}
     requirepass replace-default-auth
@@ -327,7 +333,7 @@
     identify_announce_ip
 
     if [ -z "${ANNOUNCE_IP}" ]; then
-        "Error: Could not resolve the announce ip for this pod."
+        "Error: Could not resolve the announce ip for this pod"
         exit 1
     elif [ "${MASTER}" ]; then
         find_master
@@ -459,6 +465,7 @@
         identify_announce_ip
     done
 
+    trap "exit 0" TERM
     while true; do
         sleep {{ .Values.splitBrainDetection.interval }}
 
@@ -527,7 +534,7 @@
       {{- if .Values.haproxy.tls.enabled }}
       bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ $root.Values.haproxy.containerPort }} ssl crt {{ .Values.haproxy.tls.certMountPath }}{{ .Values.haproxy.tls.keyName }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
       {{ else }}
-      bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ $root.Values.redis.port }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
+      bind {{ if .Values.haproxy.IPv6.enabled }}[::]{{ end }}:{{ if ne (int $root.Values.redis.port) 0 }}{{ $root.Values.redis.port }}{{ else }}{{ $root.Values.redis.tlsPort }}{{ end }} {{ if .Values.haproxy.IPv6.enabled }}v4v6{{ end }}
       {{- end }}
       use_backend bk_redis_master
     {{- if .Values.haproxy.readOnly.enabled }}
@@ -636,11 +643,12 @@
       {{- end}}
         ping
     )
-    if [ "$response" != "PONG" ] && [ "${response:0:7}" != "LOADING" ] ; then
-      echo "$response"
-      exit 1
-    fi
     echo "response=$response"
+    case $response in
+      PONG|LOADING*) ;;
+      *) exit 1 ;;
+    esac
+    exit 0
 {{- end }}
 
 {{- define "redis_readiness.sh" }}
@@ -661,10 +669,39 @@
         ping
     )
     if [ "$response" != "PONG" ] ; then
-      echo "$response"
+      echo "ping=$response"
+      exit 1
+    fi
+
+    response=$(
+      redis-cli \
+      {{- if .Values.auth }}
+        -a "${AUTH}" --no-auth-warning \
+      {{- end }}
+        -h localhost \
+      {{- if ne (int .Values.redis.port) 0 }}
+        -p {{ .Values.redis.port }} \
+      {{- else }}
+        -p {{ .Values.redis.tlsPort }} ${TLS_CLIENT_OPTION} \
+      {{- end}}
+        role
+    )
+    role=$( echo "$response" | sed "1!d" )
+    if [ "$role" = "master" ]; then
+      echo "role=$role"
+      exit 0
+    elif [ "$role" = "slave" ]; then
+      repl=$( echo "$response" | sed "4!d" )
+      echo "role=$role; repl=$repl"
+      if [ "$repl" = "connected" ]; then
+        exit 0
+      else
+        exit 1
+      fi
+    else
+      echo "role=$role"
       exit 1
     fi
-    echo "response=$response"
 {{- end }}
 
 {{- define "sentinel_liveness.sh" }}

charts/argocd/charts/redis-ha/README.md

@@ -92,3 +92,39 @@ Return the appropriate apiVersion for poddisruptionbudget.
 {{- print "policy/v1beta1" -}}
 {{- end -}}
 {{- end -}}
+
+{{/* 
+Return true if the detected platform is Openshift
+Usage:
+{{- include "common.compatibility.isOpenshift" . -}}
+*/}}
+{{- define "compatibility.isOpenshift" -}}
+{{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
+{{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
+Usage:
+{{- include "compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
+*/}}
+{{- define "compatibility.renderSecurityContext" -}}
+{{- $adaptedContext := .secContext -}}
+
+{{- if (((.context.Values.global).compatibility).openshift) -}}
+  {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "compatibility.isOpenshift" .context)) -}}
+    {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
+    {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
+    {{- if not .secContext.seLinuxOptions -}}
+    {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
+    {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{/* Remove fields that are disregarded when running the container in privileged mode */}}
+{{- if $adaptedContext.privileged -}}
+  {{- $adaptedContext = omit $adaptedContext "capabilities" "seLinuxOptions" -}}
+{{- end -}}
+{{- omit $adaptedContext "enabled" | toYaml -}}
+{{- end -}}

charts/argocd/charts/redis-ha/ci/haproxy-enabled-values.yaml

@@ -35,13 +35,6 @@ spec:
           protocol: TCP
         - port: {{ .Values.sentinel.port }}
           protocol: TCP
-    - to:
-      - namespaceSelector: {}
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
 {{-  range $rule := .Values.networkPolicy.egressRules }}
     - to:
 {{ (tpl (toYaml $rule.selectors) $) | indent 7 }}

charts/argocd/charts/redis-ha/templates/_configs.tpl

@@ -12,6 +12,10 @@ metadata:
     {{- range $key, $value := .Values.extraLabels }}
     {{ $key }}: {{ $value | quote }}
     {{- end }}
+{{- if .Values.serviceAccount.annotations }}
+  annotations:
+{{ toYaml .Values.serviceAccount.annotations | indent 4 }}
+{{- end }}
 {{- if or .Values.auth .Values.sentinel.auth }}
 secrets:
 {{- end }}

charts/argocd/charts/redis-ha/templates/_helpers.tpl

@@ -1,4 +1,4 @@
-{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ( .Values.exporter.serviceMonitor.enabled ) ( .Values.exporter.enabled ) }}
+{{- if and ( or .Values.exporter.serviceMonitor.disableAPICheck ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ) ( .Values.exporter.serviceMonitor.enabled ) ( .Values.exporter.enabled ) }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata: