fix argocd

2026-01-10 17:39:43 +00:00 · 2023-09-04 10:55:03 +07:00 · 2023-09-04 10:55:03 +07:00 · 30c94ecb8b
commit 30c94ecb8b
parent 18366a9b05
6 changed files with 103 additions and 17 deletions
--- a/README.md
+++ b/README.md
@ -10,10 +10,39 @@ Cluster created with kubeadm https://kubernetes.io/docs/setup/production-environ

 ## ArgoCD bootstrap

-```bash
+* Create ssh key for argocd, f.e. `ssh-keygen -f .ssh/argocd.ioot.xyz`
+* Add pub key .ssh/argocd.ioot.xyz.pub to https://github.com/amkartashov/gf-k8s/settings/keys/new
+* Run bootstrap script `scripts/bootstrap.sh -k gullfaxi -e gullfaxi`
+* Add git repo:
+  ```
+  argocd login --grpc-web argocd.ioot.xyz
+  argocd repo add git@github.com:amkartashov/gf-k8s --ssh-private-key-path ~/.ssh/argocd.ioot.xyz
+  ```
+* Create new Oauth application <https://github.com/settings/applications/new>:
+  * Application name: argocd.ioot.xyz
+  * Homepage URL: https://argocd.ioot.xyz/
+  * Authorization callback URL: https://argocd.ioot.xyz/api/dex/callback
+  * Update dex client id and secret:
+    ```
+    kubectl --context gullfaxi -n argocd patch secret argocd-secret \
+    --patch='{"stringData": {
+      "dex.github.clientId": "REPLACE",
+      "dex.github.clientSecret": "REPLACE"
+    }}'
+    ```

-ssh-keygen -f .ssh/argocd.ioot.xyz
-# add pub key .ssh/argocd.ioot.xyz.pub to https://github.com/amkartashov/gf-k8s/settings/keys/new
+* Remove secret `kubectl --context gullfaxi -n argocd delete secret argocd-initial-admin-secret`.

-$ scripts/bootstrap.sh -k gullfaxi -e gullfaxi
-```
+## Passing Sensitive Parameters in ArgoCD apps
+
+Used methods:
+
+* manually creating K8s secrets (f.e. this way is used to configure repo secret in argocd)
+* manually updating K8s secrets (f.e. this way is used to configure GitHub Oauth App client secret)
+* modifying helm parameters in application
+
+## ArgoCD Projects
+
+* `default`: for app-of-apps
+* `system`: for cluster system apps, like monitoring + argocd itself
+* `apps`: for user level applications
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@ -25,7 +25,7 @@ function main() {

    # apply manifests for crucial applications
    for app_file in \
-        ${state_path}/system/argo-cd/argo-cd-application.yaml \
+        ${state_path}/system/argo-cd-application.yaml \
        ; do
        namespace=$(yq -e '.spec.destination.namespace' ${app_file})
        ${kubectl_cmd} create ns ${namespace} || true
@ -33,6 +33,8 @@ function main() {
    done

    ${kubectl_cmd} apply -n argocd -R \
+        -f ${state_path}/apps-application.yaml \
+        -f ${state_path}/apps-project.yaml \
        -f ${state_path}/system-application.yaml \
        -f ${state_path}/system-project.yaml

--- a/state/gullfaxi/apps-application.yaml
+++ b/state/gullfaxi/apps-application.yaml
@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: apps
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  project: default
+  source:
+    repoURL: git@github.com:amkartashov/gf-k8s.git
+    path: state/gullfaxi/apps/
+    targetRevision: main
+    directory:
+      recurse: false
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
--- a/state/gullfaxi/apps-project.yaml
+++ b/state/gullfaxi/apps-project.yaml
@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: apps
+  namespace: argocd
+  # Finalizer that ensures that project is not deleted until it is not referenced by any application
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: Project for user applications
+  sourceRepos:
+  - '*'
+  destinations:
+  - namespace: '*'
+    server: '*'
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
--- a/state/gullfaxi/system-application.yaml
+++ b/state/gullfaxi/system-application.yaml
@ -12,13 +12,10 @@ spec:
  project: default
  source:
    repoURL: git@github.com:amkartashov/gf-k8s.git
-    path: state/gullfaxi
-    targetRevision: master
+    path: state/gullfaxi/system/
+    targetRevision: main
    directory:
-      recurse: true
-      # manifests dir allows for nested manifests,
-      # application dir allows for stand-alone application
-      exclude: "{*/manifests/*,*/application/*}"
+      recurse: false
  syncPolicy:
    automated:
      prune: true
--- a/state/gullfaxi/system/argo-cd/argo-cd-application.yaml
+++ b/state/gullfaxi/system/argo-cd/argo-cd-application.yaml
@ -21,6 +21,23 @@ spec:
    helm:
      releaseName: argocd
      values: |
+        configs:
+          cm:
+            url: https://argocd.ioot.xyz
+            exec.enabled: true
+            statusbadge.enabled: "true"
+            dex.config: |
+              connectors:
+              - type: github
+                id: github
+                name: GitHub
+                config:
+                  clientID: $dex.github.clientId
+                  clientSecret: $dex.github.clientSecret
+          rbac:
+            policy.csv: |
+              # sub for amkartashov github account with id 7404372
+              g, Cgc3NDA0MzcyEgZnaXRodWI, role:admin
        server:
          # https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#ssl-passthrough-with-cert-manager-and-lets-encrypt
          ingress:
@ -36,8 +53,3 @@ spec:
              - hosts:
                  - argocd.ioot.xyz
                secretName: argocd-server-tls
-          configEnabled: true
-          config:
-            url: https://argocd.ioot.xyz
-            statusbadge.enabled: "true"
-