Update manifests to use v0.8.0

Make manifests friendly to `kubectl apply` semantics by omitting `data:` field RBAC docs improvements
argoproj · Sep 5, 2018 · d7c04ae · d7c04ae
1 parent 5bcf8c4
commit d7c04ae
Show file tree

Hide file tree

Showing 10 changed files with 125 additions and 105 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # Changelog
 
-## v0.8.0 (TBD)
+## v0.8.0 (2018-09-04)
 
 ### Notes about upgrading from v0.7
 * The RBAC model has been improved to support explicit denies. What this means is that any previous
@@ -15,14 +15,20 @@ RBAC policy rules, need to be rewritten to include one extra column with the eff
     ```
 
 ### Changes since v0.7:
-+ Support kustomize as an application source
-+ Introduce project tokens for automation access
-+ Add ability to delete a single application resource to support immutable updates
++ Support kustomize as an application source (issue #510)
++ Introduce project tokens for automation access (issue #498)
++ Add ability to delete a single application resource to support immutable updates (issue #262)
 + Update RBAC model to support explicit denies (issue #497)
 + Ability to view Kubernetes events related to application projects for auditing
++ Add PVC healthcheck to controller (issue #501)
++ Run all containers as an unprivileged user (issue #528)
 * Upgrade ksonnet to v0.12.0
-* Add readiness probe to API server
+* Add readiness probes to API server (issue #522)
+* Use gRPC error codes instead of fmt.Errorf (#532)
 - API discovery becomes best effort when partial resource list is returned (issue #524)
+- Fix `argocd app wait` printing incorrect Sync output (issue #542)
+- Fix issue where argocd could not sync to a tag (#541)
+- Fix issue where static assets were browser cached between upgrades (issue #489)
 
 ## v0.7.2 (2018-08-21)
 - API discovery becomes best effort when partial resource list is returned (issue #524)

diff --git a/Makefile b/Makefile
@@ -62,16 +62,16 @@ cli: clean-debug
 
 .PHONY: cli-linux
 cli-linux: clean-debug
-	docker build --iidfile /tmp/argocd-linux-id --target builder --build-arg MAKE_TARGET="cli IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-linux-amd64" .
+	docker build --iidfile /tmp/argocd-linux-id --target argocd-build --build-arg MAKE_TARGET="cli IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-linux-amd64" .
 	docker create --name tmp-argocd-linux `cat /tmp/argocd-linux-id`
-	docker cp tmp-argocd-linux:/root/go/src/github.com/argoproj/argo-cd/dist/argocd-linux-amd64 dist/
+	docker cp tmp-argocd-linux:/go/src/github.com/argoproj/argo-cd/dist/argocd-linux-amd64 dist/
 	docker rm tmp-argocd-linux
 
 .PHONY: cli-darwin
 cli-darwin: clean-debug
-	docker build --iidfile /tmp/argocd-darwin-id --target builder --build-arg MAKE_TARGET="cli GOOS=darwin IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-darwin-amd64" .
+	docker build --iidfile /tmp/argocd-darwin-id --target argocd-build --build-arg MAKE_TARGET="cli GOOS=darwin IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-darwin-amd64" .
 	docker create --name tmp-argocd-darwin `cat /tmp/argocd-darwin-id`
-	docker cp tmp-argocd-darwin:/root/go/src/github.com/argoproj/argo-cd/dist/argocd-darwin-amd64 dist/
+	docker cp tmp-argocd-darwin:/go/src/github.com/argoproj/argo-cd/dist/argocd-darwin-amd64 dist/
 	docker rm tmp-argocd-darwin
 
 .PHONY: argocd-util

diff --git a/docs/rbac.md b/docs/rbac.md
@@ -2,13 +2,17 @@
 
 ## Overview
 
-The feature RBAC allows restricting access to ArgoCD resources. ArgoCD does not have own user management system and has only one built-in user `admin`. The `admin` user is a
-superuser and it has full access. RBAC requires configuring [SSO](./sso.md) integration. Once [SSO](./sso.md) is connected you can define RBAC roles and map roles to groups.
+The RBAC feature enables restriction of access to ArgoCD resources. ArgoCD does not have its own
+user management system and has only one built-in user `admin`. The `admin` user is a superuser and
+it has unrestricted access to the system. RBAC requires [SSO configuration](./sso.md). Once SSO is
+configured, additional RBAC roles can be defined, and SSO groups can man be mapped to roles.
 
 ## Configure RBAC
 
-RBAC configuration allows defining roles and groups. ArgoCD has two pre-defined roles: role `role:readonly` which provides read-only access to all resources and role `role:admin`
-which provides full access. Role definitions are available in [builtin-policy.csv](../util/rbac/builtin-policy.csv) file.
+RBAC configuration allows defining roles and groups. ArgoCD has two pre-defined roles:
+* `role:readonly` - read-only access to all resources
+* `role:admin` - unrestricted access to all resources
+These role definitions can be seen in [builtin-policy.csv](../util/rbac/builtin-policy.csv)
 
 Additional roles and groups can be configured in `argocd-rbac-cm` ConfigMap. The example below custom role `org-admin`. The role is assigned to any user which belongs to
 `your-github-org:your-team` group. All other users get `role:readonly` and cannot modify ArgoCD settings.

diff --git a/manifests/components/02a_argocd-cm.yaml b/manifests/components/02a_argocd-cm.yaml
@@ -3,12 +3,23 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
-data:
-  # See https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso 
-  # for more details about how to setup data config needed for sso
+#data:
+  # ArgoCD's externally facing URL
+  # url: https://argo-cd-demo.argoproj.io
 
-  # URL is the external URL of ArgoCD
-  #url: 
-
-  # A dex connector configuration
-  #dex.config:
+  # A dex connector configuration.
+  # Visit https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso 
+  # for instructions on configuring SSO.
+  # dex.config: |
+  #   connectors:
+  #     # GitHub example
+  #     - type: github
+  #       id: github
+  #       name: GitHub
+  #       config:
+  #         clientID: aabbccddeeff00112233
+  #         clientSecret: $dex.github.clientSecret
+  #         orgs:
+  #         - name: your-github-org
+  #           teams:
+  #           - red-team
diff --git a/manifests/components/02b_argocd-secret.yaml b/manifests/components/02b_argocd-secret.yaml
@@ -1,24 +1,26 @@
 ---
-# NOTE: the values in this secret will be populated by the initial startup of the API
+# NOTE: some values in this secret will be populated by the initial startup of the API server
 apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-secret
 type: Opaque
-  # bcrypt hash of the admin password
-  #admin.password: 
-
-  # random server signature key for session validation
-  #server.secretkey:
-
+#data:
   # TLS certificate and private key for API server
-  #server.crt: 
-  #server.key:
+  # server.crt: 
+  # server.key:
 
   # The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook
   # events. To enable webhooks, configure one or more of the following keys with the shared git
   # provider webhook secret. The payload URL configured in the git provider should use the 
   # /api/webhook endpoint of your ArgoCD instance (e.g. https://argocd.example.com/api/webhook)
-  #github.webhook.secret: 
-  #gitlab.webhook.secret:
-  #bitbucket.webhook.uuid: 
+  # github.webhook.secret: 
+  # gitlab.webhook.secret:
+  # bitbucket.webhook.uuid: 
+
+  # bcrypt hash of the admin password (autogenerated on initial startup).
+  # To reset a forgotten password, delete this key and restart the argocd-server
+  # admin.password: 
+
+  # random server signature key for session validation (autogenerated on initial startup)
+  # server.secretkey:
diff --git a/manifests/components/02c_argocd-rbac-cm.yaml b/manifests/components/02c_argocd-rbac-cm.yaml
@@ -3,24 +3,14 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-rbac-cm
-data:
-  # policy.csv holds the CSV file policy file which contains additional policy and role definitions.
-  # ArgoCD defines two built-in roles:
-  # * role:readonly - readonly access to all objects
-  # * role:admin - admin access to all objects
-  # The built-in policy can be seen under util/rbac/builtin-policy.csv
-  #policy.csv: ""
+#data:
+  # An RBAC policy .csv file containing additional policy and role definitions.
+  # See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md on how to write RBAC policies.
+  # policy.csv: |
+  #   # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project"
+  #   p, my-org:team-alpha, applications, sync, my-project/*, allow
+  #   # Make all members of "my-org:team-beta" admins
+  #   g, my-org:team-beta, role:admin
 
-  # There are two policy formats:
-  # 1. Applications (which belong to a project):
-  # p, <user/group>, <resource>, <action>, <project>/<object>
-  # 2. All other resources:
-  # p, <user/group>, <resource>, <action>, <object>
-
-  # For example, the following rule gives all members of 'my-org:team1' the ability to sync
-  # applications in the project named: my-project
-  # p, my-org:team1, applications, sync, my-project/*
-
-  # policy.default holds the default policy which will ArgoCD will fall back to, when authorizing
-  # a user for API requests
-  policy.default: role:readonly
+  # The default role ArgoCD will fall back to, when authorizing API requests
+  # policy.default: role:readonly
diff --git a/manifests/components/03d_application-controller-deployment.yaml b/manifests/components/03d_application-controller-deployment.yaml
@@ -14,6 +14,6 @@ spec:
     spec:
       containers:
       - command: [/argocd-application-controller, --repo-server, 'argocd-repo-server:8081']
-        image: argoproj/argocd-application-controller:v0.7.2
+        image: argoproj/argocd-application-controller:v0.8.0
         name: application-controller
       serviceAccountName: application-controller
diff --git a/manifests/components/04d_argocd-server-deployment.yaml b/manifests/components/04d_argocd-server-deployment.yaml
@@ -15,32 +15,30 @@ spec:
       serviceAccountName: argocd-server
       initContainers:
       - name: copyutil
-        image: argoproj/argocd-server:v0.7.2
+        image: argoproj/argocd-server:v0.8.0
         command: [cp, /argocd-util, /shared]
         volumeMounts:
         - mountPath: /shared
           name: static-files
       - name: ui
-        image: argoproj/argocd-ui:v0.7.2
+        image: argoproj/argocd-ui:v0.8.0
         command: [cp, -r, /app, /shared]
         volumeMounts:
         - mountPath: /shared
           name: static-files
       containers:
       - name: argocd-server
-        image: argoproj/argocd-server:v0.7.2
+        image: argoproj/argocd-server:v0.8.0
         command: [/argocd-server, --staticassets, /shared/app, --repo-server, 'argocd-repo-server:8081']
         volumeMounts:
         - mountPath: /shared
           name: static-files
-
         readinessProbe:
           httpGet:
             path: /healthz
             port: 8080
           initialDelaySeconds: 3
           periodSeconds: 30
-
       - name: dex
         image: quay.io/coreos/dex:v2.10.0
         command: [/shared/argocd-util, rundex]

diff --git a/manifests/components/05a_argocd-repo-server-deployment.yaml b/manifests/components/05a_argocd-repo-server-deployment.yaml
@@ -14,7 +14,7 @@ spec:
     spec:
       containers:
       - name: argocd-repo-server
-        image: argoproj/argocd-repo-server:v0.7.2
+        image: argoproj/argocd-repo-server:v0.8.0
         command: [/argocd-repo-server]
         ports:
           - containerPort: 8081
diff --git a/manifests/install.yaml b/manifests/install.yaml
@@ -33,65 +33,68 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
-data:
-  # See https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso 
-  # for more details about how to setup data config needed for sso
+#data:
+  # ArgoCD's externally facing URL
+  # url: https://argo-cd-demo.argoproj.io
 
-  # URL is the external URL of ArgoCD
-  #url: 
-
-  # A dex connector configuration
-  #dex.config:
+  # A dex connector configuration.
+  # Visit https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso 
+  # for instructions on configuring SSO.
+  # dex.config: |
+  #   connectors:
+  #     # GitHub example
+  #     - type: github
+  #       id: github
+  #       name: GitHub
+  #       config:
+  #         clientID: aabbccddeeff00112233
+  #         clientSecret: $dex.github.clientSecret
+  #         orgs:
+  #         - name: your-github-org
+  #           teams:
+  #           - red-team
 ---
-# NOTE: the values in this secret will be populated by the initial startup of the API
+# NOTE: some values in this secret will be populated by the initial startup of the API server
 apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-secret
 type: Opaque
-  # bcrypt hash of the admin password
-  #admin.password: 
-
-  # random server signature key for session validation
-  #server.secretkey:
-
+#data:
   # TLS certificate and private key for API server
-  #server.crt: 
-  #server.key:
+  # server.crt: 
+  # server.key:
 
   # The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook
   # events. To enable webhooks, configure one or more of the following keys with the shared git
   # provider webhook secret. The payload URL configured in the git provider should use the 
   # /api/webhook endpoint of your ArgoCD instance (e.g. https://argocd.example.com/api/webhook)
-  #github.webhook.secret: 
-  #gitlab.webhook.secret:
-  #bitbucket.webhook.uuid: 
+  # github.webhook.secret: 
+  # gitlab.webhook.secret:
+  # bitbucket.webhook.uuid: 
+
+  # bcrypt hash of the admin password (autogenerated on initial startup).
+  # To reset a forgotten password, delete this key and restart the argocd-server
+  # admin.password: 
+
+  # random server signature key for session validation (autogenerated on initial startup)
+  # server.secretkey:
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-rbac-cm
-data:
-  # policy.csv holds the CSV file policy file which contains additional policy and role definitions.
-  # ArgoCD defines two built-in roles:
-  # * role:readonly - readonly access to all objects
-  # * role:admin - admin access to all objects
-  # The built-in policy can be seen under util/rbac/builtin-policy.csv
-  #policy.csv: ""
-
-  # There are two policy formats:
-  # 1. Applications (which belong to a project):
-  # p, <user/group>, <resource>, <action>, <project>/<object>
-  # 2. All other resources:
-  # p, <user/group>, <resource>, <action>, <object>
-
-  # For example, the following rule gives all members of 'my-org:team1' the ability to sync
-  # applications in the project named: my-project
-  # p, my-org:team1, applications, sync, my-project/*
+#data:
+  # An RBAC policy .csv file containing additional policy and role definitions.
+  # See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md on how to write RBAC policies.
+  # policy.csv: |
+  #   # Give all members of "my-org:team-alpha" the ability to sync apps in "my-project"
+  #   p, my-org:team-alpha, applications, sync, my-project/*, allow
+  #   # Make all members of "my-org:team-beta" admins
+  #   g, my-org:team-beta, role:admin
 
-  # policy.default holds the default policy which will ArgoCD will fall back to, when authorizing
-  # a user for API requests
-  policy.default: role:readonly
+  # The default role ArgoCD will fall back to, when authorizing API requests
+  # policy.default: role:readonly
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -162,7 +165,7 @@ spec:
     spec:
       containers:
       - command: [/argocd-application-controller, --repo-server, 'argocd-repo-server:8081']
-        image: argoproj/argocd-application-controller:v0.7.2
+        image: argoproj/argocd-application-controller:v0.8.0
         name: application-controller
       serviceAccountName: application-controller
 ---
@@ -238,24 +241,30 @@ spec:
       serviceAccountName: argocd-server
       initContainers:
       - name: copyutil
-        image: argoproj/argocd-server:v0.7.2
+        image: argoproj/argocd-server:v0.8.0
         command: [cp, /argocd-util, /shared]
         volumeMounts:
         - mountPath: /shared
           name: static-files
       - name: ui
-        image: argoproj/argocd-ui:v0.7.2
+        image: argoproj/argocd-ui:v0.8.0
         command: [cp, -r, /app, /shared]
         volumeMounts:
         - mountPath: /shared
           name: static-files
       containers:
       - name: argocd-server
-        image: argoproj/argocd-server:v0.7.2
+        image: argoproj/argocd-server:v0.8.0
         command: [/argocd-server, --staticassets, /shared/app, --repo-server, 'argocd-repo-server:8081']
         volumeMounts:
         - mountPath: /shared
           name: static-files
+        readinessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+          initialDelaySeconds: 3
+          periodSeconds: 30
       - name: dex
         image: quay.io/coreos/dex:v2.10.0
         command: [/shared/argocd-util, rundex]
@@ -298,7 +307,7 @@ spec:
     spec:
       containers:
       - name: argocd-repo-server
-        image: argoproj/argocd-repo-server:v0.7.2
+        image: argoproj/argocd-repo-server:v0.8.0
         command: [/argocd-repo-server]
         ports:
           - containerPort: 8081