diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..c3cfbe9 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,23 @@ +# EditorConfig is awesome: https://editorconfig.org + +# top-most EditorConfig file +root = true + +# Unix-style newlines with a newline ending every file +[*] +end_of_line = lf +insert_final_newline = true +charset = utf-8 + +[*.sh] +# like -i=4 +indent_style = space +indent_size = 4 + +# --language-variant +shell_variant = bash +binary_next_line = true +# --case-indent +switch_case_indent = true +space_redirects = true +keep_padding = true diff --git a/.gitea/pull_request_template.md b/.gitea/pull_request_template.md new file mode 100644 index 0000000..5a6a671 --- /dev/null +++ b/.gitea/pull_request_template.md @@ -0,0 +1,13 @@ +--- + +name: "Feature PR" +about: "Template feature PR" +title: "[DO-XXXX] New feature" +ref: "main" +assignees: ["svc-gitea-k8s-w"] +labels: +- "kind/Feature" + +--- + +[DO-XXXX] diff --git a/.gitea/workflows/check-shellscripts.yml b/.gitea/workflows/check-shellscripts.yml new file mode 100644 index 0000000..94cd356 --- /dev/null +++ b/.gitea/workflows/check-shellscripts.yml @@ -0,0 +1,44 @@ +--- +name: Check ShellScripts +run-name: ${{ gitea.actor }} is start check shellscripts +on: [pull_request] + +jobs: + shellscripts: + name: Check shellscripts by shellcheck + runs-on: docker + container: + image: harbor.avroid.tech/docker-hub-proxy/library/node:20 + steps: + - run: echo "Start job on ${{ runner.name }} with os ${{ runner.os }}" + - run: echo "Work with branch ${{ gitea.ref }} repository ${{ gitea.repository }}" + + - name: Check out repository code + uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout.git@v4 + + - name: Check shellscripts by shellcheck + uses: https://git-mirrors.avroid.tech/Mirrors-actions/action-shellcheck.git@2.0.0 + + shfmt: + name: Check shellscript formatting + runs-on: docker + container: + image: harbor.avroid.tech/docker-hub-proxy/library/node:20 + steps: + - run: echo "Start job on ${{ runner.name }} with os ${{ runner.os }}" + - run: echo "Work with branch ${{ gitea.ref }} repository ${{ gitea.repository }}" + + - name: Check out repository code + uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout.git@v4 + + - name: Install Golang + uses: https://git-mirrors.avroid.tech/Mirrors-actions/setup-go.git@v5 + with: + go-version: '1.22' + check-latest: true + + - name: Install shfmt + run: go install mvdan.cc/sh/v3/cmd/shfmt@latest + + - name: Check shellscripts by shfmt + run: shfmt -d . diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fc9f2db --- /dev/null +++ b/.gitignore @@ -0,0 +1,37 @@ +# ---> Ansible +*.retry +.vault_password_file +ansible_collections + +# ---> JetBrains +# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider +# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839 +.idea + +# File-based project format +*.iws + +# ---> VisualStudioCode +.vscode +.history/ +*.vsix +**/.DS_Store + + +# Other +.vagrant + +.venv +venv* +.kubespray-venv +kubespray-venv* +**/.kubespray-venv +**/kubespray-venv* + +__pycache__ +*~ +*.log +._* + +.creds +.secrets diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/argocd/README.md b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/README.md new file mode 100644 index 0000000..bed14bb --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/README.md @@ -0,0 +1,39 @@ +# Argo CD + +## Project structure +```text +. +├── README.md +├── argocd-namespace.yaml +├── .rbac +├── argo-cd +│ ├── README.md +│ ├── values-override.yml +│ ├── argocd_values_secrets_init.sh +│ └── .rbac +└── argocd-apps + ├── README.md + └── values-override.yml + +Назначение: +argo-cd - Helm-чарт для установки Argo CD +argocd-apps - Helm-чарт для развёртывания в Argo CD "корневого" приложения, которое будет разворачивать остальные приложения +argocd-namespace.yaml - манифест для создания namespace Argo CD +.rbac - кастомные правила для RBAC +``` +## First install +Порядок развёртывания Argo CD: +1. Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes + +2. Готовим namespace: +```bash +kubectl apply -f argocd-namespace.yaml +``` + +2. Разворачиваем Argo CD + +[README.md](argo-cd/README.md) + +3. Разворачиваем "корневое" приложение в Argo CD + +[README.md](argocd-apps/README.md) diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/.rbac/vault-service-account.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/.rbac/vault-service-account.yaml new file mode 100644 index 0000000..b034d82 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/.rbac/vault-service-account.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: serviceaccount + app.kubernetes.io/instance: vault-sa + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: vault-operator + app.kubernetes.io/part-of: vault-operator + app.kubernetes.io/managed-by: kustomize + name: vault + namespace: argocd diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/README.md b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/README.md new file mode 100644 index 0000000..c1f89c6 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/README.md @@ -0,0 +1,120 @@ +# Install Argo CD by [argo-cd in argo-helm](https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd) + +## Create from version +| Project | Version | +|---------------------|---------| +| ArgoCD Helm | 7.8.2 | +| ArgoCD | v2.14.2 | +| ArgoCD Vault Plugin | 1.18.1 | + + +## Plugins +1. Argo CD Vault Plugin + +https://argocd-vault-plugin.readthedocs.io/en/stable/installation/#initcontainer-and-configuration-via-sidecar + +https://github.com/argoproj-labs/argocd-vault-plugin/tree/main/manifests/cmp-sidecar + +https://habr.com/ru/articles/645773/ + + +## Install +Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes + +Готовим служебную УЗ для vault: +```bash +kubectl apply -f .rbac/vault-service-account.yaml +``` + +Получаем из Vault секреты с паролями/токенами/сертификатами и выгружаем в окружение оболочки: +```bash +./argocd_values_secrets_init.sh + +source .creds +``` + +Создаём секрет с сертификатами: +```bash +kubectl -n argocd create secret tls argocd-server-tls \ + --cert=.secrets/argocd_cert.pem \ + --key=.secrets/argocd_key.pem +``` + +Добавляем конфигурацию для плагина ArgoCD Vault: +```bash +kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml +kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml +``` + +И производим непосредственную установку ArgoCD: + +```bash +helm repo add argo https://argoproj.github.io/argo-helm +helm repo update + +helm install -n argocd argo-cd argo/argo-cd -f values-override.yaml \ + --set configs.secret.argocdServerAdminPassword=$ARGOCD_ADMIN_PASSWORD_HASH \ + --set configs.repositories.argocd-git-server.username=$ARGOCD_GIT_REPO_USER \ + --set configs.repositories.argocd-git-server.password=$ARGOCD_GIT_REPO_USER_PASSWORD +``` + +Подпихиваем в секрет `argocd-secret` необходимые для конфигурации секреты: +```bash +kubectl -n argocd patch --patch-file .secrets/argocd-secret-path.yaml secret argocd-secret +``` + + + +## Upgrade/Changes +Обновление настроек и чарта делаем так: + +В начале сравниваем содержимое `values-override.yaml` с исходным файлом `values.yaml` +(ссылка на исходную версию зафиксирована в заголовке `values-override.yaml`) через diff (IDE лучше). +Или с новой версией `values.yaml` в Helm-чарте. +Вносим необходимые правки, новые опции или добавляем секреты. + +Получаем из Vault секреты с паролями/токенами/сертификатами и выгружаем в окружение оболочки: +```bash +./argocd_values_secrets_init.sh + +source .creds +``` + +Создаём секрет с сертификатами: +```bash +kubectl -n argocd create secret tls argocd-server-tls \ + --cert=.secrets/argocd_cert.pem \ + --key=.secrets/argocd_key.pem +``` + +Добавляем конфигурацию для плагина ArgoCD Vault: +```bash +kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml +kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml +``` + +Подпихиваем в секрет argocd-secret необходимые для конфигурации секреты: +```bash +kubectl -n argocd patch --patch-file .secrets/argocd-secret-path.yaml secret argocd-secret +``` + +Затем применяем: +```bash +helm upgrade -n argocd argo-cd argo/argo-cd -f values-override.yaml \ + --set configs.secret.argocdServerAdminPassword=$ARGOCD_ADMIN_PASSWORD_HASH \ + --set configs.repositories.argocd-git-server.username=$ARGOCD_GIT_REPO_USER \ + --set configs.repositories.argocd-git-server.password=$ARGOCD_GIT_REPO_USER_PASSWORD +``` + +## Установка и использование CLI Argo CD на локальной машине +https://argo-cd.readthedocs.io/en/stable/cli_installation + +MacOS: +```bash +brew install argocd +``` + +Использование: +```bash +argocd login argocd.avroid.tech +``` diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/argocd_values_secrets_init.sh b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/argocd_values_secrets_init.sh new file mode 100755 index 0000000..747ae13 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/argocd_values_secrets_init.sh @@ -0,0 +1,102 @@ +#!/bin/sh +set -e + +rm -rf .creds .secrets + +argocd_admin_password=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.user.admin.password | awk '{print $2}') + +# shellcheck disable=SC2016 +argocd_admin_password_hash=$(htpasswd -nbBC 10 "" "${argocd_admin_password}" | tr -d ':\n' | sed 's/$2y/$2a/') + +argocd_ldap_binddn=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep dn | awk '{print $2}') +argocd_ldap_binddn_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}') + +argocd_tg_token=$(vault kv get team-devops/accounts/bots/telegram/alertmanager | grep bot.avroid_alerts_bot.token | awk '{print $2}') + +argocd_repo_user=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep login | awk '{print $2}') +argocd_repo_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}') + +argocd_cert_key=$(vault kv get -field="certificate.key" team-devops/ssl/avroid.tech/wildcard.avroid.tech) +argocd_cert_data=$(vault kv get -field="certificate_fullchain.crt" team-devops/ssl/avroid.tech/wildcard.avroid.tech) + +argocd_avp_role_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_ROLE_ID | awk '{print $2}') +argocd_avp_secret_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_SECRET_ID | awk '{print $2}') + +cat > .creds << EOF +export ARGOCD_ADMIN_PASSWORD='${argocd_admin_password}' +export ARGOCD_ADMIN_PASSWORD_HASH='${argocd_admin_password_hash}' +export ARGOCD_GIT_REPO_USER='${argocd_repo_user}' +export ARGOCD_GIT_REPO_USER_PASSWORD='${argocd_repo_password}' +EOF + +mkdir .secrets + +cat > .secrets/argocd_key.pem << EOF +${argocd_cert_key} +EOF + +cat > .secrets/argocd_cert.pem << EOF +${argocd_cert_data} +EOF + +cat > .secrets/argocd-secret-path.yaml << EOF +apiVersion: v1 +kind: Secret +metadata: + name: argocd-secret + namespace: argocd +type: Opaque +stringData: + admin.password: ${argocd_admin_password_hash} + dex.ldap.bindDN: ${argocd_ldap_binddn} + dex.ldap.bindPW: ${argocd_ldap_binddn_password} + telegram-token: ${argocd_tg_token} +EOF + +cat > .secrets/argocd-vault-plugin-configmap.yaml << EOF +apiVersion: v1 +kind: ConfigMap +metadata: + name: cmp-plugin + namespace: argocd +data: + avp.yaml: | + apiVersion: argoproj.io/v1alpha1 + kind: ConfigManagementPlugin + metadata: + name: argocd-vault-plugin + spec: + allowConcurrency: true + discover: + find: + command: + - sh + - "-c" + - "find . -name '*.yaml' | xargs -I {} grep \" .secrets/argocd-vault-plugin-secret.yaml << EOF +apiVersion: v1 +kind: Secret +metadata: + name: argocd-vault-plugin-credentials + namespace: argocd +type: Opaque +stringData: + AVP_AUTH_TYPE: approle + AVP_TYPE: vault + VAULT_ADDR: "https://vault.avroid.tech" + AVP_ROLE_ID: ${argocd_avp_role_id} + AVP_SECRET_ID: ${argocd_avp_secret_id} +EOF + +echo "Run:" +echo ' 1. source .creds' +echo ' 2. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml' +echo ' 3. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml' diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/values-override.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/values-override.yaml new file mode 100644 index 0000000..d9fdbca --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/values-override.yaml @@ -0,0 +1,346 @@ +## Argo CD configuration +## Ref: https://github.com/argoproj/argo-cd +## + +## Globally shared configuration +global: + # -- Default domain used by all components + ## Used for ingresses, certificates, SSO, notifications, etc. + domain: argocd.avroid.tech + + # Default image used by all components + image: + # -- If defined, a repository applied to all Argo CD deployments + repository: &global-image-repository "harbor.avroid.tech/quay-proxy/argoproj/argocd" + # -- Overrides the global Argo CD image tag whose default is the chart appVersion + tag: &global-image-tag "v2.14.2" + + # -- Default node selector for all components + nodeSelector: + node-role.kubernetes.io/worker: "" + +## Argo Configs +configs: + # General Argo CD configuration + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml + cm: + # Dex configuration + dex.config: | + connectors: + - type: ldap + name: avroid.tech + id: ldap_avroid_tech + config: + # Ldap server address + host: "ds-01.avroid.tech:636" + insecureNoSSL: false + insecureSkipVerify: true + # Variable name stores ldap bindDN in argocd-secret + bindDN: "$dex.ldap.bindDN" + # Variable name stores ldap bind password in argocd-secret + bindPW: "$dex.ldap.bindPW" + usernamePrompt: Username + # Ldap user serch attributes + userSearch: + baseDN: cn=users,cn=accounts,dc=avroid,dc=tech + filter: "(objectClass=inetorgperson)" + username: uid + idAttr: uid + emailAttr: mail + # Ldap group serch attributes + groupSearch: + baseDN: cn=groups,cn=accounts,dc=avroid,dc=tech + filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))" + userMatchers: + - userAttr: DN + groupAttr: member + # Represents group name. + nameAttr: cn + + # Argo CD configuration parameters + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml + params: + ## Server properties + # -- Run server without TLS + ## NOTE: This value should be set when you generate params by other means as it changes ports used by ingress template. + server.insecure: true + + # Argo CD RBAC policy configuration + ## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md + rbac: + # -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional). + # If omitted or empty, users may be still be able to login, but will see no apps, projects, etc... + policy.default: 'role:deny' + + # -- File containing user-defined policies and role definitions. + # @default -- `''` (See [values.yaml]) + policy.csv: | + p, role:devops-admin, applications, *, */*, allow + p, role:devops-admin, applicationsets, *, */*, allow + p, role:devops-admin, clusters, *, *, allow + p, role:devops-admin, projects, *, *, allow + p, role:devops-admin, repositories, *, *, allow + p, role:devops-admin, accounts, *, *, allow + p, role:devops-admin, certificates, *, *, allow + p, role:devops-admin, gpgkeys, *, *, allow + p, role:devops-admin, logs, *, *, allow + p, role:devops-admin, exec, *, */*, allow + p, role:devops-admin, extensions, *, */*, allow + g, grp-admin-devops, role:devops-admin + # Policy rules are in the form: + # p, subject, resource, action, object, effect + # Role definitions and bindings are in the form: + # g, subject, inherited-subject + # policy.csv: | + # p, role:org-admin, applications, *, */*, allow + # p, role:org-admin, clusters, get, *, allow + # p, role:org-admin, repositories, *, *, allow + # p, role:org-admin, logs, get, *, allow + # p, role:org-admin, exec, create, */*, allow + # g, your-github-org:your-team, role:org-admin + + # -- Repositories list to be used by applications + ## Creates a secret for each key/value specified below to create repositories + ## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials". + repositories: + argocd-git-server: + url: https://git.avroid.tech/K8s/k8s-configs.git + name: prod_agrocd_configuration_repo + type: git + username: $git.repo.username + password: $git.repo.password + # istio-helm-repo: + # url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts + # name: istio.io + # type: helm + # private-helm-repo: + # url: https://my-private-chart-repo.internal + # name: private-repo + # type: helm + # password: my-password + # username: my-username + # private-repo: + # url: https://github.com/argoproj/private-repo + + # Argo CD sensitive data + # Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets + secret: + # -- Bcrypt hashed admin password + ## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with + ## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'` + argocdServerAdminPassword: $admin.password + + ## Dex image + image: + # -- Dex image repository + repository: harbor.avroid.tech/quay-proxy/dexidp/dex + +## Redis-HA subchart replaces custom redis deployment when `redis-ha.enabled=true` +# Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml +redis-ha: + # -- Enables the Redis HA subchart and disables the custom Redis single node deployment + enabled: true + +## Server +server: + ## Argo CD server Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server + enabled: true + # -- Minimum number of replicas for the Argo CD server [HPA] + minReplicas: 2 + + # Argo CD server ingress configuration + ingress: + # -- Enable an ingress resource for the Argo CD server + enabled: true + + # -- Additional ingress annotations + ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + + # -- Defines which ingress controller will implement the resource + ingressClassName: "nginx" + + # -- Enable TLS configuration for the hostname defined at `server.ingress.hostname` + ## TLS certificate will be retrieved from a TLS secret `argocd-server-tls` + ## You can create this secret via `certificate` or `certificateSecret` option + tls: true + +## Repo Server +repoServer: + ## Repo server Horizontal Pod Autoscaler + autoscaling: + # -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server + enabled: true + # -- Minimum number of replicas for the repo server [HPA] + minReplicas: 2 + + # -- Additional containers to be added to the repo server pod + ## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/ + ## Note: Supports use of custom Helm templates + extraContainers: + - name: avp + command: [/var/run/argocd/argocd-cmp-server] + image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.tag }}" + securityContext: + runAsNonRoot: true + runAsUser: 999 + volumeMounts: + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + - mountPath: /tmp + name: tmp + # Register plugins into sidecar + - mountPath: /home/argocd/cmp-server/config/plugin.yaml + subPath: avp.yaml + name: cmp-plugin + # Important: Mount tools into $PATH + - name: custom-tools + subPath: argocd-vault-plugin + mountPath: /usr/local/bin/argocd-vault-plugin + + # -- Init containers to add to the repo server pods + initContainers: + - name: download-tools + image: registry.access.redhat.com/ubi8 + env: + - name: AVP_VERSION + value: 1.18.1 + command: [sh, -c] + args: + - >- + curl -L https://nexus.avroid.tech/repository/devops-raw-proxy-gitea/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin && + chmod +x argocd-vault-plugin && + mv argocd-vault-plugin /custom-tools/ + volumeMounts: + - mountPath: /custom-tools + name: custom-tools + + # -- Additional volumes to the repo server pod + volumes: + - name: cmp-plugin + configMap: + name: cmp-plugin + - name: custom-tools + emptyDir: {} + + # -- Automount API credentials for the Service Account into the pod. + automountServiceAccountToken: true + +## ApplicationSet controller +applicationSet: + # -- The number of ApplicationSet controller pods to run + replicas: 2 + + + # -- Configures notification services such as slack, email or custom webhook + # @default -- See [values.yaml] + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/ + notifiers: + service.telegram: | + token: $telegram-token + + # -- Contains centrally managed global application subscriptions + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/subscriptions/ + subscriptions: + - recipients: + # warning channel + - telegram:-1001685938630 + triggers: + - on-sync-status-unknown + - app-deployed + - on-sync-succeeded + - recipients: + # critical channel + - telegram:-1001997104886 + triggers: + - on-health-degraded + - on-sync-failed + + # -- The notification template is used to generate the notification content + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/ + templates: + template.app-deployed: | + email: + subject: New version of an application {{.app.metadata.name}} is up and running. + message: | + {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests. + template.app-health-degraded: | + email: + subject: Application {{.app.metadata.name}} has degraded. + message: | + {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded. + Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. + template.app-sync-failed: | + email: + subject: Failed to sync application {{.app.metadata.name}}. + message: | + {{if eq .serviceType "slack"}}:exclamation:{{end}} The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}} + Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + template.app-sync-running: | + email: + subject: Start syncing application {{.app.metadata.name}}. + message: | + The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}. + Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + template.app-sync-status-unknown: | + email: + subject: Application {{.app.metadata.name}} sync status is 'Unknown' + message: | + {{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'. + Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}. + {{if ne .serviceType "slack"}} + {{range $c := .app.status.conditions}} + * {{$c.message}} + {{end}} + {{end}} + template.app-sync-succeeded: | + email: + subject: Application {{.app.metadata.name}} has been successfully synced. + message: | + {{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}. + Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true . + + # -- The trigger defines the condition when the notification should be sent + ## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/ + triggers: + trigger.on-deployed: | + - description: Application is synced and healthy. Triggered once per commit. + oncePer: app.status.sync.revision + send: + - app-deployed + when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy' + trigger.on-health-degraded: | + - description: Application has degraded + send: + - app-health-degraded + when: app.status.health.status == 'Degraded' + trigger.on-sync-failed: | + - description: Application syncing has failed + send: + - app-sync-failed + when: app.status.operationState.phase in ['Error', 'Failed'] + trigger.on-sync-running: | + - description: Application is being synced + send: + - app-sync-running + when: app.status.operationState.phase in ['Running'] + trigger.on-sync-status-unknown: | + - description: Application status is 'Unknown' + send: + - app-sync-status-unknown + when: app.status.sync.status == 'Unknown' + trigger.on-sync-succeeded: | + - description: Application syncing has succeeded + send: + - app-sync-succeeded + when: app.status.operationState.phase in ['Succeeded'] + # + # For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/#default-triggers + # defaultTriggers: | + # - on-sync-status-unknown diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/README.md b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/README.md new file mode 100644 index 0000000..ddb0dcc --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/README.md @@ -0,0 +1,45 @@ +# Install Argo CD by [argocd-apps in argo-helm](https://github.com/argoproj/argo-helm/tree/main/charts/argocd-apps) + +## Create from version +| Project | Version | +|---------------------|---------| +| ArgoCD Helm | 7.8.2 | + + + +## Common +Используется подход управления приложениями через корневое приложение: + +[App of Apps Pattern](https://github.com/argoproj/argo-helm/tree/main/charts/argocd-apps) + + + +## Prepare install +Предварительно должен быть развёрнут и настроен ArgoCD через оператора `argo-cd` из состава `ArgoCD Helm` (каталог с инструкцией и переменными `argo-cd`) + + +## Install +Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes + +И производим непосредственную установку корневого приложения ArgoCD: + +```bash +helm repo add argo https://argoproj.github.io/argo-helm +helm repo update + +helm install -n argocd argocd-apps argo/argocd-apps -f values-override.yaml +``` + + +## Upgrade/Changes +Обновление настроек и чарта делаем так: + +В начале сравниваем содержимое `values-override.yaml` с исходным файлом `values.yaml` +(ссылка на исходную версию зафиксирована в заголовке `values-override.yaml`) через diff (IDE лучше). +Или с новой версией `values.yaml` в Helm-чарте. +Вносим необходимые правки, новые опции или добавляем секреты. + +Затем применяем: +```bash +helm upgrade -n argocd argocd-apps argo/argocd-apps -f values-override.yaml +``` diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/values-override.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/values-override.yaml new file mode 100644 index 0000000..8d1a0b2 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/values-override.yaml @@ -0,0 +1,37 @@ +# -- Deploy Argo CD Applications within this helm release +# @default -- `{}` (See [values.yaml]) +## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/ +applications: + root-app: + namespace: argocd + additionalLabels: {} + additionalAnnotations: {} + finalizers: + - resources-finalizer.argocd.argoproj.io + project: default + source: + repoURL: https://git.avroid.tech/K8s/k8s-configs.git + targetRevision: master + path: clusters/k8s-avroid-office.prod.local/namespaces + directory: + recurse: true + exclude: '*' + include: 'argocd-apps-*.yaml' + destination: + server: https://kubernetes.default.svc + namespace: argocd + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - Validate=true + - PrunePropagationPolicy=foreground + - PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-namespace.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-namespace.yaml new file mode 100644 index 0000000..f587ede --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: argocd + labels: + name: argocd + app.kubernetes.io/managed-by: manual + annotations: + scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=