[DO-1431] deploy ArgoCD (!6)

DO-1431

Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech>
Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/6

clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/argocd_values_secrets_init.sh

@@ -0,0 +1,102 @@
+#!/bin/sh
+set -e
+
+rm -rf .creds .secrets
+
+argocd_admin_password=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.user.admin.password | awk '{print $2}')
+
+# shellcheck disable=SC2016
+argocd_admin_password_hash=$(htpasswd -nbBC 10 "" "${argocd_admin_password}" | tr -d ':\n' | sed 's/$2y/$2a/')
+
+argocd_ldap_binddn=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep dn | awk '{print $2}')
+argocd_ldap_binddn_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}')
+
+argocd_tg_token=$(vault kv get team-devops/accounts/bots/telegram/alertmanager | grep bot.avroid_alerts_bot.token | awk '{print $2}')
+
+argocd_repo_user=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep login | awk '{print $2}')
+argocd_repo_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}')
+
+argocd_cert_key=$(vault kv get -field="certificate.key" team-devops/ssl/avroid.tech/wildcard.avroid.tech)
+argocd_cert_data=$(vault kv get -field="certificate_fullchain.crt" team-devops/ssl/avroid.tech/wildcard.avroid.tech)
+
+argocd_avp_role_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_ROLE_ID | awk '{print $2}')
+argocd_avp_secret_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_SECRET_ID | awk '{print $2}')
+
+cat > .creds << EOF
+export ARGOCD_ADMIN_PASSWORD='${argocd_admin_password}'
+export ARGOCD_ADMIN_PASSWORD_HASH='${argocd_admin_password_hash}'
+export ARGOCD_GIT_REPO_USER='${argocd_repo_user}'
+export ARGOCD_GIT_REPO_USER_PASSWORD='${argocd_repo_password}'
+EOF
+
+mkdir .secrets
+
+cat > .secrets/argocd_key.pem << EOF
+${argocd_cert_key}
+EOF
+
+cat > .secrets/argocd_cert.pem << EOF
+${argocd_cert_data}
+EOF
+
+cat > .secrets/argocd-secret-path.yaml << EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-secret
+  namespace: argocd
+type: Opaque
+stringData:
+  admin.password: ${argocd_admin_password_hash}
+  dex.ldap.bindDN: ${argocd_ldap_binddn}
+  dex.ldap.bindPW: ${argocd_ldap_binddn_password}
+  telegram-token: ${argocd_tg_token}
+EOF
+
+cat > .secrets/argocd-vault-plugin-configmap.yaml << EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cmp-plugin
+  namespace: argocd
+data:
+  avp.yaml: |
+    apiVersion: argoproj.io/v1alpha1
+    kind: ConfigManagementPlugin
+    metadata:
+      name: argocd-vault-plugin
+    spec:
+      allowConcurrency: true
+      discover:
+        find:
+          command:
+            - sh
+            - "-c"
+            - "find . -name '*.yaml' | xargs -I {} grep \"<path\\\\|avp\\\\.kubernetes\\\\.io\" {} | grep ."
+      generate:
+        command:
+          - argocd-vault-plugin
+          - generate
+          - "."
+      lockRepo: false
+EOF
+
+cat > .secrets/argocd-vault-plugin-secret.yaml << EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-vault-plugin-credentials
+  namespace: argocd
+type: Opaque
+stringData:
+  AVP_AUTH_TYPE: approle
+  AVP_TYPE: vault
+  VAULT_ADDR: "https://vault.avroid.tech"
+  AVP_ROLE_ID: ${argocd_avp_role_id}
+  AVP_SECRET_ID: ${argocd_avp_secret_id}
+EOF
+
+echo "Run:"
+echo '  1. source .creds'
+echo '  2. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml'
+echo '  3. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml'