Kubernetes/k8s-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[DO-1431] deploy ArgoCD (!6)

Browse Source 
DO-1431

Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech>
Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/6
This commit is contained in:
Denis Patrakeev
2025-02-10 15:05:06 +03:00
parent 328e9d39ed
commit 5654a65bff
12 changed files with 828 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

346
clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/values-override.yaml Normal file
View File

@@ -0,0 +1,346 @@
## Argo CD configuration
## Ref: https://github.com/argoproj/argo-cd
##
## Globally shared configuration
global:
# -- Default domain used by all components
## Used for ingresses, certificates, SSO, notifications, etc.
domain: argocd.avroid.tech
# Default image used by all components
image:
# -- If defined, a repository applied to all Argo CD deployments
repository: &global-image-repository "harbor.avroid.tech/quay-proxy/argoproj/argocd"
# -- Overrides the global Argo CD image tag whose default is the chart appVersion
tag: &global-image-tag "v2.14.2"
# -- Default node selector for all components
nodeSelector:
node-role.kubernetes.io/worker: ""
## Argo Configs
configs:
# General Argo CD configuration
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
cm:
# Dex configuration
dex.config: |
connectors:
- type: ldap
name: avroid.tech
id: ldap_avroid_tech
config:
# Ldap server address
host: "ds-01.avroid.tech:636"
insecureNoSSL: false
insecureSkipVerify: true
# Variable name stores ldap bindDN in argocd-secret
bindDN: "$dex.ldap.bindDN"
# Variable name stores ldap bind password in argocd-secret
bindPW: "$dex.ldap.bindPW"
usernamePrompt: Username
# Ldap user serch attributes
userSearch:
baseDN: cn=users,cn=accounts,dc=avroid,dc=tech
filter: "(objectClass=inetorgperson)"
username: uid
idAttr: uid
emailAttr: mail
# Ldap group serch attributes
groupSearch:
baseDN: cn=groups,cn=accounts,dc=avroid,dc=tech
filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))"
userMatchers:
- userAttr: DN
groupAttr: member
# Represents group name.
nameAttr: cn
# Argo CD configuration parameters
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml
params:
## Server properties
# -- Run server without TLS
## NOTE: This value should be set when you generate params by other means as it changes ports used by ingress template.
server.insecure: true
# Argo CD RBAC policy configuration
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
rbac:
# -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional).
# If omitted or empty, users may be still be able to login, but will see no apps, projects, etc...
policy.default: 'role:deny'
# -- File containing user-defined policies and role definitions.
# @default -- `''` (See [values.yaml])
policy.csv: |
p, role:devops-admin, applications, *, */*, allow
p, role:devops-admin, applicationsets, *, */*, allow
p, role:devops-admin, clusters, *, *, allow
p, role:devops-admin, projects, *, *, allow
p, role:devops-admin, repositories, *, *, allow
p, role:devops-admin, accounts, *, *, allow
p, role:devops-admin, certificates, *, *, allow
p, role:devops-admin, gpgkeys, *, *, allow
p, role:devops-admin, logs, *, *, allow
p, role:devops-admin, exec, *, */*, allow
p, role:devops-admin, extensions, *, */*, allow
g, grp-admin-devops, role:devops-admin
# Policy rules are in the form:
# p, subject, resource, action, object, effect
# Role definitions and bindings are in the form:
# g, subject, inherited-subject
# policy.csv: |
# p, role:org-admin, applications, *, */*, allow
# p, role:org-admin, clusters, get, *, allow
# p, role:org-admin, repositories, *, *, allow
# p, role:org-admin, logs, get, *, allow
# p, role:org-admin, exec, create, */*, allow
# g, your-github-org:your-team, role:org-admin
# -- Repositories list to be used by applications
## Creates a secret for each key/value specified below to create repositories
## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials".
repositories:
argocd-git-server:
url: https://git.avroid.tech/K8s/k8s-configs.git
name: prod_agrocd_configuration_repo
type: git
username: $git.repo.username
password: $git.repo.password
# istio-helm-repo:
# url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
# name: istio.io
# type: helm
# private-helm-repo:
# url: https://my-private-chart-repo.internal
# name: private-repo
# type: helm
# password: my-password
# username: my-username
# private-repo:
# url: https://github.com/argoproj/private-repo
# Argo CD sensitive data
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets
secret:
# -- Bcrypt hashed admin password
## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with
## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
argocdServerAdminPassword: $admin.password
## Dex image
image:
# -- Dex image repository
repository: harbor.avroid.tech/quay-proxy/dexidp/dex
## Redis-HA subchart replaces custom redis deployment when `redis-ha.enabled=true`
# Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml
redis-ha:
# -- Enables the Redis HA subchart and disables the custom Redis single node deployment
enabled: true
## Server
server:
## Argo CD server Horizontal Pod Autoscaler
autoscaling:
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server
enabled: true
# -- Minimum number of replicas for the Argo CD server [HPA]
minReplicas: 2
# Argo CD server ingress configuration
ingress:
# -- Enable an ingress resource for the Argo CD server
enabled: true
# -- Additional ingress annotations
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# -- Defines which ingress controller will implement the resource
ingressClassName: "nginx"
# -- Enable TLS configuration for the hostname defined at `server.ingress.hostname`
## TLS certificate will be retrieved from a TLS secret `argocd-server-tls`
## You can create this secret via `certificate` or `certificateSecret` option
tls: true
## Repo Server
repoServer:
## Repo server Horizontal Pod Autoscaler
autoscaling:
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server
enabled: true
# -- Minimum number of replicas for the repo server [HPA]
minReplicas: 2
# -- Additional containers to be added to the repo server pod
## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/
## Note: Supports use of custom Helm templates
extraContainers:
- name: avp
command: [/var/run/argocd/argocd-cmp-server]
image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.tag }}"
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
# Register plugins into sidecar
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: avp.yaml
name: cmp-plugin
# Important: Mount tools into $PATH
- name: custom-tools
subPath: argocd-vault-plugin
mountPath: /usr/local/bin/argocd-vault-plugin
# -- Init containers to add to the repo server pods
initContainers:
- name: download-tools
image: registry.access.redhat.com/ubi8
env:
- name: AVP_VERSION
value: 1.18.1
command: [sh, -c]
args:
- >-
curl -L https://nexus.avroid.tech/repository/devops-raw-proxy-gitea/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin &&
chmod +x argocd-vault-plugin &&
mv argocd-vault-plugin /custom-tools/
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
# -- Additional volumes to the repo server pod
volumes:
- name: cmp-plugin
configMap:
name: cmp-plugin
- name: custom-tools
emptyDir: {}
# -- Automount API credentials for the Service Account into the pod.
automountServiceAccountToken: true
## ApplicationSet controller
applicationSet:
# -- The number of ApplicationSet controller pods to run
replicas: 2
# -- Configures notification services such as slack, email or custom webhook
# @default -- See [values.yaml]
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/
notifiers:
service.telegram: |
token: $telegram-token
# -- Contains centrally managed global application subscriptions
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/subscriptions/
subscriptions:
- recipients:
# warning channel
- telegram:-1001685938630
triggers:
- on-sync-status-unknown
- app-deployed
- on-sync-succeeded
- recipients:
# critical channel
- telegram:-1001997104886
triggers:
- on-health-degraded
- on-sync-failed
# -- The notification template is used to generate the notification content
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/
templates:
template.app-deployed: |
email:
subject: New version of an application {{.app.metadata.name}} is up and running.
message: |
{{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests.
template.app-health-degraded: |
email:
subject: Application {{.app.metadata.name}} has degraded.
message: |
{{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded.
Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
template.app-sync-failed: |
email:
subject: Failed to sync application {{.app.metadata.name}}.
message: |
{{if eq .serviceType "slack"}}:exclamation:{{end}} The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
template.app-sync-running: |
email:
subject: Start syncing application {{.app.metadata.name}}.
message: |
The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}.
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
template.app-sync-status-unknown: |
email:
subject: Application {{.app.metadata.name}} sync status is 'Unknown'
message: |
{{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'.
Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
{{if ne .serviceType "slack"}}
{{range $c := .app.status.conditions}}
* {{$c.message}}
{{end}}
{{end}}
template.app-sync-succeeded: |
email:
subject: Application {{.app.metadata.name}} has been successfully synced.
message: |
{{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}.
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
# -- The trigger defines the condition when the notification should be sent
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/
triggers:
trigger.on-deployed: |
- description: Application is synced and healthy. Triggered once per commit.
oncePer: app.status.sync.revision
send:
- app-deployed
when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
trigger.on-health-degraded: |
- description: Application has degraded
send:
- app-health-degraded
when: app.status.health.status == 'Degraded'
trigger.on-sync-failed: |
- description: Application syncing has failed
send:
- app-sync-failed
when: app.status.operationState.phase in ['Error', 'Failed']
trigger.on-sync-running: |
- description: Application is being synced
send:
- app-sync-running
when: app.status.operationState.phase in ['Running']
trigger.on-sync-status-unknown: |
- description: Application status is 'Unknown'
send:
- app-sync-status-unknown
when: app.status.sync.status == 'Unknown'
trigger.on-sync-succeeded: |
- description: Application syncing has succeeded
send:
- app-sync-succeeded
when: app.status.operationState.phase in ['Succeeded']
#
# For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/#default-triggers
# defaultTriggers: |
# - on-sync-status-unknown