From b48bef599c0b4fb832d2c031fae9b5a148e95eff Mon Sep 17 00:00:00 2001
From: Stefan Reimer <stefan@zero-downtime.net>
Date: Wed, 9 Apr 2025 22:51:04 +0000
Subject: [PATCH] feat: more argoCD tuning for vals on AWS

---
 charts/kubezero-argo/README.md      | 14 +++++---------
 charts/kubezero-argo/values.yaml    | 30 +----------------------------
 charts/kubezero/templates/argo.yaml | 29 +++++++++++++++++++++++++++-
 charts/kubezero/values.yaml         |  2 +-
 scripts/lib-update.sh               |  2 +-
 5 files changed, 36 insertions(+), 41 deletions(-)

diff --git a/charts/kubezero-argo/README.md b/charts/kubezero-argo/README.md
index 892644a4..1ffd6062 100644
--- a/charts/kubezero-argo/README.md
+++ b/charts/kubezero-argo/README.md
@@ -1,6 +1,6 @@
 # kubezero-argo
 
-![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square)
+![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square)
 
 KubeZero Argo - Events, Workflow, CD
 
@@ -18,9 +18,9 @@ Kubernetes: `>= 1.30.0-0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 7.8.13 |
-| https://argoproj.github.io/argo-helm | argo-events | 2.4.14 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.0 |
+| https://argoproj.github.io/argo-helm | argo-cd | 7.8.23 |
+| https://argoproj.github.io/argo-helm | argo-events | 2.4.15 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.12.1 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | 0.2.1 |
 
 ## Values
@@ -54,7 +54,7 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
 | argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
-| argo-cd.global.image.tag | string | `"v2.14.7"` |  |
+| argo-cd.global.image.tag | string | `"v2.14.9"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.global.networkPolicy.create | bool | `true` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
@@ -69,10 +69,6 @@ Kubernetes: `>= 1.30.0-0`
 | argo-cd.redisSecretInit.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
-| argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
-| argo-cd.repoServer.volumeMounts[0].name | string | `"kubeconfigs"` |  |
-| argo-cd.repoServer.volumes[0].emptyDir | object | `{}` |  |
-| argo-cd.repoServer.volumes[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.server.metrics.enabled | bool | `false` |  |
 | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` |  |
diff --git a/charts/kubezero-argo/values.yaml b/charts/kubezero-argo/values.yaml
index 9379cb01..7fb25834 100644
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@@ -38,7 +38,7 @@ argo-cd:
       format: json
     image:
       repository: public.ecr.aws/zero-downtime/zdt-argocd
-      tag: v2.14.7
+      tag: v2.14.9
     networkPolicy:
       create: true
 
@@ -116,13 +116,6 @@ argo-cd:
       serviceMonitor:
         enabled: true
 
-    volumes:
-      - name: kubeconfigs
-        emptyDir: {}
-    volumeMounts:
-    - mountPath: /home/argocd/.kube
-      name: kubeconfigs
-
     # Allow vals to read internal secrets across all namespaces
     # @ignored
     clusterRoleRules:
@@ -132,27 +125,6 @@ argo-cd:
           resources: ["secrets"]
           verbs: ["get", "watch", "list"]
 
-    # @ignored
-    initContainers:
-      - name: create-kubeconfig
-        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
-        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
-        command:
-          - /usr/local/bin/sa2kubeconfig.sh
-          - /home/argocd/.kube/config
-        volumeMounts:
-        - mountPath: /home/argocd/.kube
-          name: kubeconfigs
-        securityContext:
-          runAsNonRoot: true
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
-          capabilities:
-            drop:
-            - ALL
-
   server:
     # Rename former https port to grpc, works with istio + insecure
     service:
diff --git a/charts/kubezero/templates/argo.yaml b/charts/kubezero/templates/argo.yaml
index 82e0739b..0a828f38 100644
--- a/charts/kubezero/templates/argo.yaml
+++ b/charts/kubezero/templates/argo.yaml
@@ -25,6 +25,33 @@ argo-cd:
   repoServer:
     metrics:
       enabled: {{ .Values.metrics.enabled }}
+
+    {{- if eq .Values.global.platform "aws" }}
+    env:
+      - name: AWS_ROLE_ARN
+        value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-repo-server"
+      - name: AWS_WEB_IDENTITY_TOKEN_FILE
+        value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+      - name: AWS_STS_REGIONAL_ENDPOINTS
+        value: "regional"
+      - name: METADATA_TRIES
+        value: "0"
+      - name: AWS_REGION
+        value: {{ .Values.global.aws.region }}
+    volumes:
+    - name: aws-token
+      projected:
+        sources:
+        - serviceAccountToken:
+            path: token
+            expirationSeconds: 86400
+            audience: "sts.amazonaws.com"
+    volumeMounts:
+    - name: aws-token
+      mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+      readOnly: true
+    {{- end }}
+
     {{- with index .Values "argo" "argo-cd" "repoServer" }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
@@ -51,7 +78,7 @@ argocd-image-updater:
   {{- toYaml . | nindent 2 }}
   {{- end }}
 
-  {{- if .Values.global.aws }}
+  {{- if eq .Values.global.platform "aws" }}
   extraEnv:
     - name: AWS_ROLE_ARN
       value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
diff --git a/charts/kubezero/values.yaml b/charts/kubezero/values.yaml
index 266eacda..7357ec22 100644
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@@ -115,7 +115,7 @@ logging:
 argo:
   enabled: false
   namespace: argocd
-  targetRevision: 0.3.1
+  targetRevision: 0.3.2
   argo-cd:
     enabled: false
     istio:
diff --git a/scripts/lib-update.sh b/scripts/lib-update.sh
index 59cf67f5..a93cc378 100755
--- a/scripts/lib-update.sh
+++ b/scripts/lib-update.sh
@@ -18,7 +18,7 @@ update_jsonnet() {
 
 update_helm() {
   #helm repo update
-  helm dep build
+  helm dep update
 }
 
 # AWS public ECR