Kubernetes/k8s-configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[DO-1431] deploy ArgoCD (!6)

Browse Source 
DO-1431

Co-authored-by: denis.patrakeev <denis.patrakeev@avroid.tech>
Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/6
This commit is contained in:
Denis Patrakeev
2025-02-10 15:05:06 +03:00
parent 328e9d39ed
commit 5654a65bff
12 changed files with 828 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
.editorconfig Normal file
View File

@@ -0,0 +1,23 @@
# EditorConfig is awesome: https://editorconfig.org
# top-most EditorConfig file
root = true
# Unix-style newlines with a newline ending every file
[*]
end_of_line = lf
insert_final_newline = true
charset = utf-8
[*.sh]
# like -i=4
indent_style = space
indent_size = 4
# --language-variant
shell_variant = bash
binary_next_line = true
# --case-indent
switch_case_indent = true
space_redirects = true
keep_padding = true

13
.gitea/pull_request_template.md Normal file
View File

@@ -0,0 +1,13 @@
---
name: "Feature PR"
about: "Template feature PR"
title: "[DO-XXXX] New feature"
ref: "main"
assignees: ["svc-gitea-k8s-w"]
labels:
- "kind/Feature"
---
[DO-XXXX]

44
.gitea/workflows/check-shellscripts.yml Normal file
View File

@@ -0,0 +1,44 @@
---
name: Check ShellScripts
run-name: ${{ gitea.actor }} is start check shellscripts
on: [pull_request]
jobs:
shellscripts:
name: Check shellscripts by shellcheck
runs-on: docker
container:
image: harbor.avroid.tech/docker-hub-proxy/library/node:20
steps:
- run: echo "Start job on ${{ runner.name }} with os ${{ runner.os }}"
- run: echo "Work with branch ${{ gitea.ref }} repository ${{ gitea.repository }}"
- name: Check out repository code
uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout.git@v4
- name: Check shellscripts by shellcheck
uses: https://git-mirrors.avroid.tech/Mirrors-actions/action-shellcheck.git@2.0.0
shfmt:
name: Check shellscript formatting
runs-on: docker
container:
image: harbor.avroid.tech/docker-hub-proxy/library/node:20
steps:
- run: echo "Start job on ${{ runner.name }} with os ${{ runner.os }}"
- run: echo "Work with branch ${{ gitea.ref }} repository ${{ gitea.repository }}"
- name: Check out repository code
uses: https://git-mirrors.avroid.tech/Mirrors-actions/checkout.git@v4
- name: Install Golang
uses: https://git-mirrors.avroid.tech/Mirrors-actions/setup-go.git@v5
with:
go-version: '1.22'
check-latest: true
- name: Install shfmt
run: go install mvdan.cc/sh/v3/cmd/shfmt@latest
- name: Check shellscripts by shfmt
run: shfmt -d .

37
.gitignore vendored Normal file
View File

@@ -0,0 +1,37 @@
# ---> Ansible
*.retry
.vault_password_file
ansible_collections
# ---> JetBrains
# Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio, WebStorm and Rider
# Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
.idea
# File-based project format
*.iws
# ---> VisualStudioCode
.vscode
.history/
*.vsix
**/.DS_Store
# Other
.vagrant
.venv
venv*
.kubespray-venv
kubespray-venv*
**/.kubespray-venv
**/kubespray-venv*
__pycache__
*~
*.log
._*
.creds
.secrets

39
clusters/k8s-avroid-office.prod.local/namespaces/argocd/README.md Normal file
View File

@@ -0,0 +1,39 @@
# Argo CD
## Project structure
```text
.
├── README.md
├── argocd-namespace.yaml
├── .rbac
├── argo-cd
│ ├── README.md
│ ├── values-override.yml
│ ├── argocd_values_secrets_init.sh
│ └── .rbac
└── argocd-apps
├── README.md
└── values-override.yml
Назначение:
argo-cd - Helm-чарт для установки Argo CD
argocd-apps - Helm-чарт для развёртывания в Argo CD "корневого" приложения, которое будет разворачивать остальные приложения
argocd-namespace.yaml - манифест для создания namespace Argo CD
.rbac - кастомные правила для RBAC
```
## First install
Порядок развёртывания Argo CD:
1. Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes
2. Готовим namespace:
```bash
kubectl apply -f argocd-namespace.yaml
```
2. Разворачиваем Argo CD
[README.md](argo-cd/README.md)
3. Разворачиваем "корневое" приложение в Argo CD
[README.md](argocd-apps/README.md)

12
clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/.rbac/vault-service-account.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: serviceaccount
app.kubernetes.io/instance: vault-sa
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: vault-operator
app.kubernetes.io/part-of: vault-operator
app.kubernetes.io/managed-by: kustomize
name: vault
namespace: argocd

120
clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/README.md Normal file
View File

@@ -0,0 +1,120 @@
# Install Argo CD by [argo-cd in argo-helm](https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd)
## Create from version
| Project | Version |
|---------------------|---------|
| ArgoCD Helm | 7.8.2 |
| ArgoCD | v2.14.2 |
| ArgoCD Vault Plugin | 1.18.1 |
## Plugins
1. Argo CD Vault Plugin
https://argocd-vault-plugin.readthedocs.io/en/stable/installation/#initcontainer-and-configuration-via-sidecar
https://github.com/argoproj-labs/argocd-vault-plugin/tree/main/manifests/cmp-sidecar
https://habr.com/ru/articles/645773/
## Install
Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes
Готовим служебную УЗ для vault:
```bash
kubectl apply -f .rbac/vault-service-account.yaml
```
Получаем из Vault секреты с паролями/токенами/сертификатами и выгружаем в окружение оболочки:
```bash
./argocd_values_secrets_init.sh
source .creds
```
Создаём секрет с сертификатами:
```bash
kubectl -n argocd create secret tls argocd-server-tls \
--cert=.secrets/argocd_cert.pem \
--key=.secrets/argocd_key.pem
```
Добавляем конфигурацию для плагина ArgoCD Vault:
```bash
kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml
kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml
```
И производим непосредственную установку ArgoCD:
```bash
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm install -n argocd argo-cd argo/argo-cd -f values-override.yaml \
--set configs.secret.argocdServerAdminPassword=$ARGOCD_ADMIN_PASSWORD_HASH \
--set configs.repositories.argocd-git-server.username=$ARGOCD_GIT_REPO_USER \
--set configs.repositories.argocd-git-server.password=$ARGOCD_GIT_REPO_USER_PASSWORD
```
Подпихиваем в секрет `argocd-secret` необходимые для конфигурации секреты:
```bash
kubectl -n argocd patch --patch-file .secrets/argocd-secret-path.yaml secret argocd-secret
```
## Upgrade/Changes
Обновление настроек и чарта делаем так:
В начале сравниваем содержимое `values-override.yaml` с исходным файлом `values.yaml`
(ссылка на исходную версию зафиксирована в заголовке `values-override.yaml`) через diff (IDE лучше).
Или с новой версией `values.yaml` в Helm-чарте.
Вносим необходимые правки, новые опции или добавляем секреты.
Получаем из Vault секреты с паролями/токенами/сертификатами и выгружаем в окружение оболочки:
```bash
./argocd_values_secrets_init.sh
source .creds
```
Создаём секрет с сертификатами:
```bash
kubectl -n argocd create secret tls argocd-server-tls \
--cert=.secrets/argocd_cert.pem \
--key=.secrets/argocd_key.pem
```
Добавляем конфигурацию для плагина ArgoCD Vault:
```bash
kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml
kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml
```
Подпихиваем в секрет argocd-secret необходимые для конфигурации секреты:
```bash
kubectl -n argocd patch --patch-file .secrets/argocd-secret-path.yaml secret argocd-secret
```
Затем применяем:
```bash
helm upgrade -n argocd argo-cd argo/argo-cd -f values-override.yaml \
--set configs.secret.argocdServerAdminPassword=$ARGOCD_ADMIN_PASSWORD_HASH \
--set configs.repositories.argocd-git-server.username=$ARGOCD_GIT_REPO_USER \
--set configs.repositories.argocd-git-server.password=$ARGOCD_GIT_REPO_USER_PASSWORD
```
## Установка и использование CLI Argo CD на локальной машине
https://argo-cd.readthedocs.io/en/stable/cli_installation
MacOS:
```bash
brew install argocd
```
Использование:
```bash
argocd login argocd.avroid.tech
```

102
clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/argocd_values_secrets_init.sh Executable file
View File

@@ -0,0 +1,102 @@
#!/bin/sh
set -e
rm -rf .creds .secrets
argocd_admin_password=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.user.admin.password | awk '{print $2}')
# shellcheck disable=SC2016
argocd_admin_password_hash=$(htpasswd -nbBC 10 "" "${argocd_admin_password}" | tr -d ':\n' | sed 's/$2y/$2a/')
argocd_ldap_binddn=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep dn | awk '{print $2}')
argocd_ldap_binddn_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}')
argocd_tg_token=$(vault kv get team-devops/accounts/bots/telegram/alertmanager | grep bot.avroid_alerts_bot.token | awk '{print $2}')
argocd_repo_user=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep login | awk '{print $2}')
argocd_repo_password=$(vault kv get team-devops/accounts/ldap/service_accounts/svc_argocd | grep password | awk '{print $2}')
argocd_cert_key=$(vault kv get -field="certificate.key" team-devops/ssl/avroid.tech/wildcard.avroid.tech)
argocd_cert_data=$(vault kv get -field="certificate_fullchain.crt" team-devops/ssl/avroid.tech/wildcard.avroid.tech)
argocd_avp_role_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_ROLE_ID | awk '{print $2}')
argocd_avp_secret_id=$(vault kv get team-devops/services/ci-cd/ArgoCD/argocd.avroid.tech | grep service.argocd_vault_plugin.vault.env.AVP_SECRET_ID | awk '{print $2}')
cat > .creds << EOF
export ARGOCD_ADMIN_PASSWORD='${argocd_admin_password}'
export ARGOCD_ADMIN_PASSWORD_HASH='${argocd_admin_password_hash}'
export ARGOCD_GIT_REPO_USER='${argocd_repo_user}'
export ARGOCD_GIT_REPO_USER_PASSWORD='${argocd_repo_password}'
EOF
mkdir .secrets
cat > .secrets/argocd_key.pem << EOF
${argocd_cert_key}
EOF
cat > .secrets/argocd_cert.pem << EOF
${argocd_cert_data}
EOF
cat > .secrets/argocd-secret-path.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
type: Opaque
stringData:
admin.password: ${argocd_admin_password_hash}
dex.ldap.bindDN: ${argocd_ldap_binddn}
dex.ldap.bindPW: ${argocd_ldap_binddn_password}
telegram-token: ${argocd_tg_token}
EOF
cat > .secrets/argocd-vault-plugin-configmap.yaml << EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: cmp-plugin
namespace: argocd
data:
avp.yaml: |
apiVersion: argoproj.io/v1alpha1
kind: ConfigManagementPlugin
metadata:
name: argocd-vault-plugin
spec:
allowConcurrency: true
discover:
find:
command:
- sh
- "-c"
- "find . -name '*.yaml' | xargs -I {} grep \"<path\\\\|avp\\\\.kubernetes\\\\.io\" {} | grep ."
generate:
command:
- argocd-vault-plugin
- generate
- "."
lockRepo: false
EOF
cat > .secrets/argocd-vault-plugin-secret.yaml << EOF
apiVersion: v1
kind: Secret
metadata:
name: argocd-vault-plugin-credentials
namespace: argocd
type: Opaque
stringData:
AVP_AUTH_TYPE: approle
AVP_TYPE: vault
VAULT_ADDR: "https://vault.avroid.tech"
AVP_ROLE_ID: ${argocd_avp_role_id}
AVP_SECRET_ID: ${argocd_avp_secret_id}
EOF
echo "Run:"
echo ' 1. source .creds'
echo ' 2. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-configmap.yaml'
echo ' 3. kubectl -n argocd apply -f .secrets/argocd-vault-plugin-secret.yaml'

346
clusters/k8s-avroid-office.prod.local/namespaces/argocd/argo-cd/values-override.yaml Normal file
View File

@@ -0,0 +1,346 @@
## Argo CD configuration
## Ref: https://github.com/argoproj/argo-cd
##
## Globally shared configuration
global:
# -- Default domain used by all components
## Used for ingresses, certificates, SSO, notifications, etc.
domain: argocd.avroid.tech
# Default image used by all components
image:
# -- If defined, a repository applied to all Argo CD deployments
repository: &global-image-repository "harbor.avroid.tech/quay-proxy/argoproj/argocd"
# -- Overrides the global Argo CD image tag whose default is the chart appVersion
tag: &global-image-tag "v2.14.2"
# -- Default node selector for all components
nodeSelector:
node-role.kubernetes.io/worker: ""
## Argo Configs
configs:
# General Argo CD configuration
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml
cm:
# Dex configuration
dex.config: |
connectors:
- type: ldap
name: avroid.tech
id: ldap_avroid_tech
config:
# Ldap server address
host: "ds-01.avroid.tech:636"
insecureNoSSL: false
insecureSkipVerify: true
# Variable name stores ldap bindDN in argocd-secret
bindDN: "$dex.ldap.bindDN"
# Variable name stores ldap bind password in argocd-secret
bindPW: "$dex.ldap.bindPW"
usernamePrompt: Username
# Ldap user serch attributes
userSearch:
baseDN: cn=users,cn=accounts,dc=avroid,dc=tech
filter: "(objectClass=inetorgperson)"
username: uid
idAttr: uid
emailAttr: mail
# Ldap group serch attributes
groupSearch:
baseDN: cn=groups,cn=accounts,dc=avroid,dc=tech
filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))"
userMatchers:
- userAttr: DN
groupAttr: member
# Represents group name.
nameAttr: cn
# Argo CD configuration parameters
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cmd-params-cm.yaml
params:
## Server properties
# -- Run server without TLS
## NOTE: This value should be set when you generate params by other means as it changes ports used by ingress template.
server.insecure: true
# Argo CD RBAC policy configuration
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
rbac:
# -- The name of the default role which Argo CD will falls back to, when authorizing API requests (optional).
# If omitted or empty, users may be still be able to login, but will see no apps, projects, etc...
policy.default: 'role:deny'
# -- File containing user-defined policies and role definitions.
# @default -- `''` (See [values.yaml])
policy.csv: |
p, role:devops-admin, applications, *, */*, allow
p, role:devops-admin, applicationsets, *, */*, allow
p, role:devops-admin, clusters, *, *, allow
p, role:devops-admin, projects, *, *, allow
p, role:devops-admin, repositories, *, *, allow
p, role:devops-admin, accounts, *, *, allow
p, role:devops-admin, certificates, *, *, allow
p, role:devops-admin, gpgkeys, *, *, allow
p, role:devops-admin, logs, *, *, allow
p, role:devops-admin, exec, *, */*, allow
p, role:devops-admin, extensions, *, */*, allow
g, grp-admin-devops, role:devops-admin
# Policy rules are in the form:
# p, subject, resource, action, object, effect
# Role definitions and bindings are in the form:
# g, subject, inherited-subject
# policy.csv: |
# p, role:org-admin, applications, *, */*, allow
# p, role:org-admin, clusters, get, *, allow
# p, role:org-admin, repositories, *, *, allow
# p, role:org-admin, logs, get, *, allow
# p, role:org-admin, exec, create, */*, allow
# g, your-github-org:your-team, role:org-admin
# -- Repositories list to be used by applications
## Creates a secret for each key/value specified below to create repositories
## Note: the last example in the list would use a repository credential template, configured under "configs.repositoryCredentials".
repositories:
argocd-git-server:
url: https://git.avroid.tech/K8s/k8s-configs.git
name: prod_agrocd_configuration_repo
type: git
username: $git.repo.username
password: $git.repo.password
# istio-helm-repo:
# url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
# name: istio.io
# type: helm
# private-helm-repo:
# url: https://my-private-chart-repo.internal
# name: private-repo
# type: helm
# password: my-password
# username: my-username
# private-repo:
# url: https://github.com/argoproj/private-repo
# Argo CD sensitive data
# Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sensitive-data-and-sso-client-secrets
secret:
# -- Bcrypt hashed admin password
## Argo expects the password in the secret to be bcrypt hashed. You can create this hash with
## `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
argocdServerAdminPassword: $admin.password
## Dex image
image:
# -- Dex image repository
repository: harbor.avroid.tech/quay-proxy/dexidp/dex
## Redis-HA subchart replaces custom redis deployment when `redis-ha.enabled=true`
# Ref: https://github.com/DandyDeveloper/charts/blob/master/charts/redis-ha/values.yaml
redis-ha:
# -- Enables the Redis HA subchart and disables the custom Redis single node deployment
enabled: true
## Server
server:
## Argo CD server Horizontal Pod Autoscaler
autoscaling:
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the Argo CD server
enabled: true
# -- Minimum number of replicas for the Argo CD server [HPA]
minReplicas: 2
# Argo CD server ingress configuration
ingress:
# -- Enable an ingress resource for the Argo CD server
enabled: true
# -- Additional ingress annotations
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#option-1-ssl-passthrough
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# -- Defines which ingress controller will implement the resource
ingressClassName: "nginx"
# -- Enable TLS configuration for the hostname defined at `server.ingress.hostname`
## TLS certificate will be retrieved from a TLS secret `argocd-server-tls`
## You can create this secret via `certificate` or `certificateSecret` option
tls: true
## Repo Server
repoServer:
## Repo server Horizontal Pod Autoscaler
autoscaling:
# -- Enable Horizontal Pod Autoscaler ([HPA]) for the repo server
enabled: true
# -- Minimum number of replicas for the repo server [HPA]
minReplicas: 2
# -- Additional containers to be added to the repo server pod
## Ref: https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/
## Note: Supports use of custom Helm templates
extraContainers:
- name: avp
command: [/var/run/argocd/argocd-cmp-server]
image: "{{ .Values.global.image.repository }}:{{ .Values.global.image.tag }}"
securityContext:
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
- mountPath: /tmp
name: tmp
# Register plugins into sidecar
- mountPath: /home/argocd/cmp-server/config/plugin.yaml
subPath: avp.yaml
name: cmp-plugin
# Important: Mount tools into $PATH
- name: custom-tools
subPath: argocd-vault-plugin
mountPath: /usr/local/bin/argocd-vault-plugin
# -- Init containers to add to the repo server pods
initContainers:
- name: download-tools
image: registry.access.redhat.com/ubi8
env:
- name: AVP_VERSION
value: 1.18.1
command: [sh, -c]
args:
- >-
curl -L https://nexus.avroid.tech/repository/devops-raw-proxy-gitea/argoproj-labs/argocd-vault-plugin/releases/download/v$(AVP_VERSION)/argocd-vault-plugin_$(AVP_VERSION)_linux_amd64 -o argocd-vault-plugin &&
chmod +x argocd-vault-plugin &&
mv argocd-vault-plugin /custom-tools/
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
# -- Additional volumes to the repo server pod
volumes:
- name: cmp-plugin
configMap:
name: cmp-plugin
- name: custom-tools
emptyDir: {}
# -- Automount API credentials for the Service Account into the pod.
automountServiceAccountToken: true
## ApplicationSet controller
applicationSet:
# -- The number of ApplicationSet controller pods to run
replicas: 2
# -- Configures notification services such as slack, email or custom webhook
# @default -- See [values.yaml]
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/services/overview/
notifiers:
service.telegram: |
token: $telegram-token
# -- Contains centrally managed global application subscriptions
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/subscriptions/
subscriptions:
- recipients:
# warning channel
- telegram:-1001685938630
triggers:
- on-sync-status-unknown
- app-deployed
- on-sync-succeeded
- recipients:
# critical channel
- telegram:-1001997104886
triggers:
- on-health-degraded
- on-sync-failed
# -- The notification template is used to generate the notification content
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/templates/
templates:
template.app-deployed: |
email:
subject: New version of an application {{.app.metadata.name}} is up and running.
message: |
{{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} is now running new version of deployments manifests.
template.app-health-degraded: |
email:
subject: Application {{.app.metadata.name}} has degraded.
message: |
{{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} has degraded.
Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
template.app-sync-failed: |
email:
subject: Failed to sync application {{.app.metadata.name}}.
message: |
{{if eq .serviceType "slack"}}:exclamation:{{end}} The sync operation of application {{.app.metadata.name}} has failed at {{.app.status.operationState.finishedAt}} with the following error: {{.app.status.operationState.message}}
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
template.app-sync-running: |
email:
subject: Start syncing application {{.app.metadata.name}}.
message: |
The sync operation of application {{.app.metadata.name}} has started at {{.app.status.operationState.startedAt}}.
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
template.app-sync-status-unknown: |
email:
subject: Application {{.app.metadata.name}} sync status is 'Unknown'
message: |
{{if eq .serviceType "slack"}}:exclamation:{{end}} Application {{.app.metadata.name}} sync is 'Unknown'.
Application details: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}.
{{if ne .serviceType "slack"}}
{{range $c := .app.status.conditions}}
* {{$c.message}}
{{end}}
{{end}}
template.app-sync-succeeded: |
email:
subject: Application {{.app.metadata.name}} has been successfully synced.
message: |
{{if eq .serviceType "slack"}}:white_check_mark:{{end}} Application {{.app.metadata.name}} has been successfully synced at {{.app.status.operationState.finishedAt}}.
Sync operation details are available at: {{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true .
# -- The trigger defines the condition when the notification should be sent
## For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/
triggers:
trigger.on-deployed: |
- description: Application is synced and healthy. Triggered once per commit.
oncePer: app.status.sync.revision
send:
- app-deployed
when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status == 'Healthy'
trigger.on-health-degraded: |
- description: Application has degraded
send:
- app-health-degraded
when: app.status.health.status == 'Degraded'
trigger.on-sync-failed: |
- description: Application syncing has failed
send:
- app-sync-failed
when: app.status.operationState.phase in ['Error', 'Failed']
trigger.on-sync-running: |
- description: Application is being synced
send:
- app-sync-running
when: app.status.operationState.phase in ['Running']
trigger.on-sync-status-unknown: |
- description: Application status is 'Unknown'
send:
- app-sync-status-unknown
when: app.status.sync.status == 'Unknown'
trigger.on-sync-succeeded: |
- description: Application syncing has succeeded
send:
- app-sync-succeeded
when: app.status.operationState.phase in ['Succeeded']
#
# For more information: https://argo-cd.readthedocs.io/en/stable/operator-manual/notifications/triggers/#default-triggers
# defaultTriggers: |
# - on-sync-status-unknown

45
clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/README.md Normal file
View File

@@ -0,0 +1,45 @@
# Install Argo CD by [argocd-apps in argo-helm](https://github.com/argoproj/argo-helm/tree/main/charts/argocd-apps)
## Create from version
| Project | Version |
|---------------------|---------|
| ArgoCD Helm | 7.8.2 |
## Common
Используется подход управления приложениями через корневое приложение:
[App of Apps Pattern](https://github.com/argoproj/argo-helm/tree/main/charts/argocd-apps)
## Prepare install
Предварительно должен быть развёрнут и настроен ArgoCD через оператора `argo-cd` из состава `ArgoCD Helm` (каталог с инструкцией и переменными `argo-cd`)
## Install
Настраиваем для работы файл конфигурации kubectl для подключения к кластеру Kubernetes
И производим непосредственную установку корневого приложения ArgoCD:
```bash
helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm install -n argocd argocd-apps argo/argocd-apps -f values-override.yaml
```
## Upgrade/Changes
Обновление настроек и чарта делаем так:
В начале сравниваем содержимое `values-override.yaml` с исходным файлом `values.yaml`
(ссылка на исходную версию зафиксирована в заголовке `values-override.yaml`) через diff (IDE лучше).
Или с новой версией `values.yaml` в Helm-чарте.
Вносим необходимые правки, новые опции или добавляем секреты.
Затем применяем:
```bash
helm upgrade -n argocd argocd-apps argo/argocd-apps -f values-override.yaml
```

37
clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-apps/values-override.yaml Normal file
View File

@@ -0,0 +1,37 @@
# -- Deploy Argo CD Applications within this helm release
# @default -- `{}` (See [values.yaml])
## Ref: https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/
applications:
root-app:
namespace: argocd
additionalLabels: {}
additionalAnnotations: {}
finalizers:
- resources-finalizer.argocd.argoproj.io
project: default
source:
repoURL: https://git.avroid.tech/K8s/k8s-configs.git
targetRevision: master
path: clusters/k8s-avroid-office.prod.local/namespaces
directory:
recurse: true
exclude: '*'
include: 'argocd-apps-*.yaml'
destination:
server: https://kubernetes.default.svc
namespace: argocd
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- Validate=true
- PrunePropagationPolicy=foreground
- PruneLast=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m

10
clusters/k8s-avroid-office.prod.local/namespaces/argocd/argocd-namespace.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: argocd
labels:
name: argocd
app.kubernetes.io/managed-by: manual
annotations:
scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=