argoproj · tico24 · Mar 12, 2026 · Feb 3, 2026 · Feb 3, 2026 · Mar 12, 2026
@@ -98,6 +98,14 @@ jobs:
         run: |
           kubectl apply -f ./.github/configs/external-redis.yaml
 
+      - name: Copy full CRDs to kind nodes for argo-workflows testing
+        id: argo-wf-crds
+        if: contains(steps.list-changed.outputs.changed_charts, 'argo-workflows')
+        run: |
+          for node in $(kind get nodes --name chart-testing); do
+            docker cp charts/argo-workflows/files/crds/full/. "$node":/crds/
+          done
+
       - name: Run chart-testing (install)
-        run: ct install --config ./.github/configs/ct-install.yaml
+        run: ct install --config ./.github/configs/ct-install.yaml ${{ steps.argo-wf-crds.outcome == 'success' && '--helm-extra-set-args "--set crds.upgradeJob.hostPath=/crds"' || '' }}
         if: steps.list-changed.outputs.changed == 'true'
@@ -21,3 +21,7 @@
 *.tmproj
 ci/
 *.gotmpl
+# Raw full CRDs are excluded from the chart package to keep the release Secret
+# under the 1MB Kubernetes Secret size limit. Full CRDs are applied at install
+# time by the CRD install hook Job, which downloads them from GitHub.
+files/crds/full/*.yaml
@@ -1,9 +1,9 @@
 apiVersion: v2
-appVersion: v3.7.11
+appVersion: v4.0.2
 name: argo-workflows
 description: A Helm chart for Argo Workflows
 type: application
-version: 0.47.5
+version: 1.0.0
 icon: https://argo-workflows.readthedocs.io/en/stable/assets/logo.png
 home: https://github.com/argoproj/argo-helm
 sources:
@@ -17,4 +17,4 @@ annotations:
     url: https://argoproj.github.io/argo-helm/pgp_keys.asc
   artifacthub.io/changes: |
     - kind: changed
-      description: Bump argo-workflows to v3.7.11
+      description: Bump argo-workflows to v4.0.2. Switch to full CRDs by default
@@ -10,68 +10,49 @@ If you want your deployment of this helm chart to most closely match the [argo C
 
 #### Full vs Minified CRDs
 
-By default, this chart installs the **minified CRDs** (which use `x-kubernetes-preserve-unknown-fields` to accept any fields).
-These are smaller in size but provide almost no validation.
-This is the default in upstream manifests.
+This chart supports two CRD variants:
 
-If you prefer to use the **full CRDs** with complete OpenAPI schemas (recommended for better validation and type safety), you can set:
+- **Full CRDs** (default): Include complete OpenAPI schemas for better validation and type safety. These are approximately 11MB total uncompressed.
+- **Minified CRDs**: Use `x-kubernetes-preserve-unknown-fields` to accept any fields. Smaller but provide almost no validation.
 
-```bash
---set crds.full=true
-```
+As of Argo Workflows version 4, full CRDs are the default, matching upstream.
 
-**Important:** Full CRDs are approximately 7.4MB total and will most likely need to be applied using Server Side Apply to avoid hitting size limits.
-When installing manually with kubectl, use:
+To use minified CRDs instead:
 
 ```bash
-kubectl apply --server-side --force-conflicts -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v<argoVersion>"
+helm install my-release argo/argo-workflows --set crds.full=false
 ```
 
-Note: Helm 3 does not natively support Server Side Apply.
-If you encounter issues installing full CRDs via Helm (such as "Too long" errors), you have two options:
+#### How the full CRDs are installed
 
-**Option 1: Manual kubectl apply**
+Full CRDs are too large to include directly in Helm templates (they would exceed the Kubernetes Secret size limit that Helm uses to store releases). Instead, this chart uses a **pre-install/pre-upgrade hook Job** that downloads and applies CRDs from this chart's GitHub release tag using `kubectl apply --server-side --force-conflicts`.
 
-1. Apply the CRDs manually using kubectl with `--server-side` as shown above
-2. Install the chart with `--set crds.install=false` to skip CRD installation
+This means `helm install` works out of the box with full CRDs — no manual steps required. The hook Job requires:
 
-**Option 2: Use ArgoCD with Server Side Apply**
+- A `kubectl` image (defaults to `registry.k8s.io/kubectl`)
+- ClusterRole permissions to create/update CRDs (created automatically as hook resources)
+- Network access to `raw.githubusercontent.com` from the cluster (to download the CRD manifests)
 
-ArgoCD supports Server Side Apply for Helm charts. To enable it, set the sync option in your Application manifest:
+You can customize the kubectl image, image pull secrets, and CRD source URL via `crds.upgradeJob` values (see values table below).
 
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: argo-workflows
-spec:
-  syncPolicy:
-    syncOptions:
-    - ServerSideApply=true
-  source:
-    chart: argo-workflows
-    repoURL: https://argoproj.github.io/argo-helm
-    targetRevision: 0.xx.xx
-    helm:
-      values: |
-        crds:
-          full: true
-```
+#### Using Argo CD
+
+Argo CD supports Helm hooks natively by converting them to Argo CD PreSync hooks. The CRD install hook Job will run automatically during Argo CD sync — no special configuration is required.
 
 #### Installing CRDs Outside the Chart
 
 Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart.
 
 Helm cannot upgrade custom resource definitions in the `<chart>/crds` folder [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). Starting with 3.4.0 (chart version 0.19.0), the CRDs have been moved to `<chart>/templates` to address this design decision.
 
-If you are using Argo Workflows chart version prior to 3.4.0 (chart version 0.19.0) or have elected to manage the Argo Workflows CRDs outside of the chart, please use `kubectl` to upgrade CRDs manually from [files/crds/full](files/crds/full/) or [files/crds/minimal](files/crds/minimal/) folders, or via the manifests from the upstream project repo:
+If you are managing CRDs outside the chart, apply them manually:
 
 ```bash
 # For full CRDs (requires Server Side Apply due to size)
 kubectl apply --server-side --force-conflicts -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=<appVersion>"
 
-# Eg. version v3.7.3
-kubectl apply --server-side --force-conflicts -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v3.7.3"
+# Eg. version v4.0.2
+kubectl apply --server-side --force-conflicts -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v4.0.2"
 
 # For minified CRDs (standard apply works fine)
 kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/minimal?ref=<appVersion>"
@@ -224,10 +205,20 @@ Fields to note:
 | apiVersionOverrides.cloudgoogle | string | `""` | String to override apiVersion of GKE resources rendered by this helm chart |
 | apiVersionOverrides.monitoring | string | `""` | String to override apiVersion of monitoring CRDs (ServiceMonitor) rendered by this helm chart |
 | commonLabels | object | `{}` | Labels to set on all resources |
-| crds.annotations | object | `{}` | Annotations to be added to all CRDs |
-| crds.full | bool | `false` | Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields. Note: Full CRDs are ~7.4MB and may require Server Side Apply (kubectl apply --server-side). See README for details. |
+| crds.annotations | object | `{}` | Annotations to be added to all CRDs (only applies when crds.full=false) |
+| crds.full | bool | `true` | Use full CRDs with complete OpenAPI schemas. When false, uses minified CRDs with x-kubernetes-preserve-unknown-fields. Full CRDs are very large and are installed via a pre-install/pre-upgrade hook Job that uses server-side apply. |
 | crds.install | bool | `true` | Install and upgrade CRDs |
 | crds.keep | bool | `true` | Keep CRDs on chart uninstall |
+| crds.upgradeJob | object | `{"crdBaseURL":"","hostPath":"","image":{"repository":"registry.k8s.io/kubectl","tag":"v1.35.2"},"imagePullSecrets":[],"nodeSelector":{},"resources":{},"tolerations":[]}` | Configuration for the CRD install Job (only used when crds.full=true) |
+| crds.upgradeJob.crdBaseURL | string | `""` | Override base URL to download full CRD YAML files from. Defaults to this chart's release tag on GitHub. Ignored if hostPath is set. |
+| crds.upgradeJob.hostPath | string | `""` | Host path to mount CRD files from (for local/CI testing). When set, CRDs are applied from this path instead of downloading. |
+| crds.upgradeJob.image | object | `{"repository":"registry.k8s.io/kubectl","tag":"v1.35.2"}` | Image for the kubectl container that applies CRDs |
+| crds.upgradeJob.image.repository | string | `"registry.k8s.io/kubectl"` | Repository for the kubectl image |
+| crds.upgradeJob.image.tag | string | `"v1.35.2"` | Tag for the kubectl image |
+| crds.upgradeJob.imagePullSecrets | list | `[]` | Image pull secrets for the CRD install Job |
+| crds.upgradeJob.nodeSelector | object | `{}` | Node selector for the CRD install Job |
+| crds.upgradeJob.resources | object | `{}` | Resources for the CRD install Job containers |
+| crds.upgradeJob.tolerations | list | `[]` | Tolerations for the CRD install Job |
 | createAggregateRoles | bool | `true` | Create ClusterRoles that extend existing ClusterRoles to interact with Argo Workflows CRDs. |
 | emissary.images | list | `[]` | The command/args for each image on workflow, needed when the command is not specified and the emissary executor is used. |
 | extraObjects | list | `[]` | Array of extra K8s manifests to deploy |

@@ -10,68 +10,49 @@ If you want your deployment of this helm chart to most closely match the [argo C
 
 #### Full vs Minified CRDs
 
-By default, this chart installs the **minified CRDs** (which use `x-kubernetes-preserve-unknown-fields` to accept any fields).
-These are smaller in size but provide almost no validation.
-This is the default in upstream manifests.
+This chart supports two CRD variants:
 
-If you prefer to use the **full CRDs** with complete OpenAPI schemas (recommended for better validation and type safety), you can set:
+- **Full CRDs** (default): Include complete OpenAPI schemas for better validation and type safety. These are approximately 11MB total uncompressed.
+- **Minified CRDs**: Use `x-kubernetes-preserve-unknown-fields` to accept any fields. Smaller but provide almost no validation.
 
-```bash
---set crds.full=true
-```
+As of Argo Workflows version 4, full CRDs are the default, matching upstream.
 
-**Important:** Full CRDs are approximately 7.4MB total and will most likely need to be applied using Server Side Apply to avoid hitting size limits.
-When installing manually with kubectl, use:
+To use minified CRDs instead:
 
 ```bash
-kubectl apply --server-side --force-conflicts -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v<argoVersion>"
+helm install my-release argo/argo-workflows --set crds.full=false
 ```
 
-Note: Helm 3 does not natively support Server Side Apply.
-If you encounter issues installing full CRDs via Helm (such as "Too long" errors), you have two options:
+#### How the full CRDs are installed
 
-**Option 1: Manual kubectl apply**
+Full CRDs are too large to include directly in Helm templates (they would exceed the Kubernetes Secret size limit that Helm uses to store releases). Instead, this chart uses a **pre-install/pre-upgrade hook Job** that downloads and applies CRDs from this chart's GitHub release tag using `kubectl apply --server-side --force-conflicts`.
 
-1. Apply the CRDs manually using kubectl with `--server-side` as shown above
-2. Install the chart with `--set crds.install=false` to skip CRD installation
+This means `helm install` works out of the box with full CRDs — no manual steps required. The hook Job requires:
 
-**Option 2: Use ArgoCD with Server Side Apply**
+- A `kubectl` image (defaults to `registry.k8s.io/kubectl`)
+- ClusterRole permissions to create/update CRDs (created automatically as hook resources)
+- Network access to `raw.githubusercontent.com` from the cluster (to download the CRD manifests)
 
-ArgoCD supports Server Side Apply for Helm charts. To enable it, set the sync option in your Application manifest:
+You can customize the kubectl image, image pull secrets, and CRD source URL via `crds.upgradeJob` values (see values table below).
 
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: argo-workflows
-spec:
-  syncPolicy:
-    syncOptions:
-    - ServerSideApply=true
-  source:
-    chart: argo-workflows
-    repoURL: https://argoproj.github.io/argo-helm
-    targetRevision: 0.xx.xx
-    helm:
-      values: |
-        crds:
-          full: true
-```
+#### Using Argo CD
+
+Argo CD supports Helm hooks natively by converting them to Argo CD PreSync hooks. The CRD install hook Job will run automatically during Argo CD sync — no special configuration is required.
 
 #### Installing CRDs Outside the Chart
 
 Some users would prefer to install the CRDs _outside_ of the chart. You can disable the CRD installation of this chart by using `--set crds.install=false` when installing the chart.
 
 Helm cannot upgrade custom resource definitions in the `<chart>/crds` folder [by design](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations). Starting with 3.4.0 (chart version 0.19.0), the CRDs have been moved to `<chart>/templates` to address this design decision.
 
-If you are using Argo Workflows chart version prior to 3.4.0 (chart version 0.19.0) or have elected to manage the Argo Workflows CRDs outside of the chart, please use `kubectl` to upgrade CRDs manually from [files/crds/full](files/crds/full/) or [files/crds/minimal](files/crds/minimal/) folders, or via the manifests from the upstream project repo:
+If you are managing CRDs outside the chart, apply them manually:
 
 ```bash
 # For full CRDs (requires Server Side Apply due to size)
 kubectl apply --server-side --force-conflicts -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=<appVersion>"
 
-# Eg. version v3.7.3
-kubectl apply --server-side --force-conflicts -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v3.7.3"
+# Eg. version v4.0.2
+kubectl apply --server-side --force-conflicts -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/full?ref=v4.0.2"
 
 # For minified CRDs (standard apply works fine)
 kubectl apply -k "https://github.com/argoproj/argo-workflows/manifests/base/crds/minimal?ref=<appVersion>"

@@ -0,0 +1,5 @@
+# Test with minimal (non-full) CRDs
+# it has to run before the other tests
+crds:
+  full: false
+  keep: false