From 30c94ecb8b52e1538672f8bad4a2564ee1f1c17d Mon Sep 17 00:00:00 2001
From: Andrei Kartashov <a@ioot.xyz>
Date: Mon, 4 Sep 2023 10:55:03 +0700
Subject: [PATCH] fix argocd

---
 README.md                                     | 39 ++++++++++++++++---
 scripts/bootstrap.sh                          |  4 +-
 state/gullfaxi/apps-application.yaml          | 28 +++++++++++++
 state/gullfaxi/apps-project.yaml              | 18 +++++++++
 state/gullfaxi/system-application.yaml        |  9 ++---
 .../{argo-cd => }/argo-cd-application.yaml    | 22 ++++++++---
 6 files changed, 103 insertions(+), 17 deletions(-)
 create mode 100644 state/gullfaxi/apps-application.yaml
 create mode 100644 state/gullfaxi/apps-project.yaml
 rename state/gullfaxi/system/{argo-cd => }/argo-cd-application.yaml (70%)

diff --git a/README.md b/README.md
index 1090533..e829250 100644
--- a/README.md
+++ b/README.md
@@ -10,10 +10,39 @@ Cluster created with kubeadm https://kubernetes.io/docs/setup/production-environ
 
 ## ArgoCD bootstrap
 
-```bash
+* Create ssh key for argocd, f.e. `ssh-keygen -f .ssh/argocd.ioot.xyz`
+* Add pub key .ssh/argocd.ioot.xyz.pub to https://github.com/amkartashov/gf-k8s/settings/keys/new
+* Run bootstrap script `scripts/bootstrap.sh -k gullfaxi -e gullfaxi`
+* Add git repo:
+  ```
+  argocd login --grpc-web argocd.ioot.xyz
+  argocd repo add git@github.com:amkartashov/gf-k8s --ssh-private-key-path ~/.ssh/argocd.ioot.xyz
+  ```
+* Create new Oauth application <https://github.com/settings/applications/new>:
+  * Application name: argocd.ioot.xyz
+  * Homepage URL: https://argocd.ioot.xyz/
+  * Authorization callback URL: https://argocd.ioot.xyz/api/dex/callback
+  * Update dex client id and secret:
+    ```
+    kubectl --context gullfaxi -n argocd patch secret argocd-secret \
+    --patch='{"stringData": {
+      "dex.github.clientId": "REPLACE",
+      "dex.github.clientSecret": "REPLACE"
+    }}'
+    ```
 
-ssh-keygen -f .ssh/argocd.ioot.xyz
-# add pub key .ssh/argocd.ioot.xyz.pub to https://github.com/amkartashov/gf-k8s/settings/keys/new
+* Remove secret `kubectl --context gullfaxi -n argocd delete secret argocd-initial-admin-secret`.
 
-$ scripts/bootstrap.sh -k gullfaxi -e gullfaxi
-```
+## Passing Sensitive Parameters in ArgoCD apps
+
+Used methods:
+
+* manually creating K8s secrets (f.e. this way is used to configure repo secret in argocd)
+* manually updating K8s secrets (f.e. this way is used to configure GitHub Oauth App client secret)
+* modifying helm parameters in application
+
+## ArgoCD Projects
+
+* `default`: for app-of-apps
+* `system`: for cluster system apps, like monitoring + argocd itself
+* `apps`: for user level applications
diff --git a/scripts/bootstrap.sh b/scripts/bootstrap.sh
index e45e8a6..925e1cf 100755
--- a/scripts/bootstrap.sh
+++ b/scripts/bootstrap.sh
@@ -25,7 +25,7 @@ function main() {
 
     # apply manifests for crucial applications
     for app_file in \
-        ${state_path}/system/argo-cd/argo-cd-application.yaml \
+        ${state_path}/system/argo-cd-application.yaml \
         ; do
         namespace=$(yq -e '.spec.destination.namespace' ${app_file})
         ${kubectl_cmd} create ns ${namespace} || true
@@ -33,6 +33,8 @@ function main() {
     done
 
     ${kubectl_cmd} apply -n argocd -R \
+        -f ${state_path}/apps-application.yaml \
+        -f ${state_path}/apps-project.yaml \
         -f ${state_path}/system-application.yaml \
         -f ${state_path}/system-project.yaml
 
diff --git a/state/gullfaxi/apps-application.yaml b/state/gullfaxi/apps-application.yaml
new file mode 100644
index 0000000..19599ef
--- /dev/null
+++ b/state/gullfaxi/apps-application.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: apps
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  project: default
+  source:
+    repoURL: git@github.com:amkartashov/gf-k8s.git
+    path: state/gullfaxi/apps/
+    targetRevision: main
+    directory:
+      recurse: false
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
diff --git a/state/gullfaxi/apps-project.yaml b/state/gullfaxi/apps-project.yaml
new file mode 100644
index 0000000..b7b3d83
--- /dev/null
+++ b/state/gullfaxi/apps-project.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: apps
+  namespace: argocd
+  # Finalizer that ensures that project is not deleted until it is not referenced by any application
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: Project for user applications
+  sourceRepos:
+  - '*'
+  destinations:
+  - namespace: '*'
+    server: '*'
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
diff --git a/state/gullfaxi/system-application.yaml b/state/gullfaxi/system-application.yaml
index 0ec1a16..babef71 100644
--- a/state/gullfaxi/system-application.yaml
+++ b/state/gullfaxi/system-application.yaml
@@ -12,13 +12,10 @@ spec:
   project: default
   source:
     repoURL: git@github.com:amkartashov/gf-k8s.git
-    path: state/gullfaxi
-    targetRevision: master
+    path: state/gullfaxi/system/
+    targetRevision: main
     directory:
-      recurse: true
-      # manifests dir allows for nested manifests,
-      # application dir allows for stand-alone application
-      exclude: "{*/manifests/*,*/application/*}"
+      recurse: false
   syncPolicy:
     automated:
       prune: true
diff --git a/state/gullfaxi/system/argo-cd/argo-cd-application.yaml b/state/gullfaxi/system/argo-cd-application.yaml
similarity index 70%
rename from state/gullfaxi/system/argo-cd/argo-cd-application.yaml
rename to state/gullfaxi/system/argo-cd-application.yaml
index e805020..e7c0078 100644
--- a/state/gullfaxi/system/argo-cd/argo-cd-application.yaml
+++ b/state/gullfaxi/system/argo-cd-application.yaml
@@ -21,6 +21,23 @@ spec:
     helm:
       releaseName: argocd
       values: |
+        configs:
+          cm:
+            url: https://argocd.ioot.xyz
+            exec.enabled: true
+            statusbadge.enabled: "true"
+            dex.config: |
+              connectors:
+              - type: github
+                id: github
+                name: GitHub
+                config:
+                  clientID: $dex.github.clientId
+                  clientSecret: $dex.github.clientSecret
+          rbac:
+            policy.csv: |
+              # sub for amkartashov github account with id 7404372
+              g, Cgc3NDA0MzcyEgZnaXRodWI, role:admin
         server:
           # https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#ssl-passthrough-with-cert-manager-and-lets-encrypt
           ingress:
@@ -36,8 +53,3 @@ spec:
               - hosts:
                   - argocd.ioot.xyz
                 secretName: argocd-server-tls
-          configEnabled: true
-          config:
-            url: https://argocd.ioot.xyz
-            statusbadge.enabled: "true"
-