fix argocd

README.md

@@ -10,10 +10,39 @@ Cluster created with kubeadm https://kubernetes.io/docs/setup/production-environ
 
 ## ArgoCD bootstrap
 
-```bash
+* Create ssh key for argocd, f.e. `ssh-keygen -f .ssh/argocd.ioot.xyz`
+* Add pub key .ssh/argocd.ioot.xyz.pub to https://github.com/amkartashov/gf-k8s/settings/keys/new
+* Run bootstrap script `scripts/bootstrap.sh -k gullfaxi -e gullfaxi`
+* Add git repo:
+  ```
+  argocd login --grpc-web argocd.ioot.xyz
+  argocd repo add git@github.com:amkartashov/gf-k8s --ssh-private-key-path ~/.ssh/argocd.ioot.xyz
+  ```
+* Create new Oauth application <https://github.com/settings/applications/new>:
+  * Application name: argocd.ioot.xyz
+  * Homepage URL: https://argocd.ioot.xyz/
+  * Authorization callback URL: https://argocd.ioot.xyz/api/dex/callback
+  * Update dex client id and secret:
+    ```
+    kubectl --context gullfaxi -n argocd patch secret argocd-secret \
+    --patch='{"stringData": {
+      "dex.github.clientId": "REPLACE",
+      "dex.github.clientSecret": "REPLACE"
+    }}'
+    ```
 
-ssh-keygen -f .ssh/argocd.ioot.xyz
+* Remove secret `kubectl --context gullfaxi -n argocd delete secret argocd-initial-admin-secret`.
-# add pub key .ssh/argocd.ioot.xyz.pub to https://github.com/amkartashov/gf-k8s/settings/keys/new
 
-$ scripts/bootstrap.sh -k gullfaxi -e gullfaxi
+## Passing Sensitive Parameters in ArgoCD apps
-```
+
+Used methods:
+
+* manually creating K8s secrets (f.e. this way is used to configure repo secret in argocd)
+* manually updating K8s secrets (f.e. this way is used to configure GitHub Oauth App client secret)
+* modifying helm parameters in application
+
+## ArgoCD Projects
+
+* `default`: for app-of-apps
+* `system`: for cluster system apps, like monitoring + argocd itself
+* `apps`: for user level applications

scripts/bootstrap.sh

@@ -25,7 +25,7 @@ function main() {
 
     # apply manifests for crucial applications
     for app_file in \
-        ${state_path}/system/argo-cd/argo-cd-application.yaml \
+        ${state_path}/system/argo-cd-application.yaml \
         ; do
         namespace=$(yq -e '.spec.destination.namespace' ${app_file})
         ${kubectl_cmd} create ns ${namespace} || true
@@ -33,6 +33,8 @@ function main() {
     done
 
     ${kubectl_cmd} apply -n argocd -R \
+        -f ${state_path}/apps-application.yaml \
+        -f ${state_path}/apps-project.yaml \
         -f ${state_path}/system-application.yaml \
         -f ${state_path}/system-project.yaml
 

state/gullfaxi/apps-application.yaml

@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: apps
+  namespace: argocd
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  project: default
+  source:
+    repoURL: git@github.com:amkartashov/gf-k8s.git
+    path: state/gullfaxi/apps/
+    targetRevision: main
+    directory:
+      recurse: false
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m

state/gullfaxi/apps-project.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: apps
+  namespace: argocd
+  # Finalizer that ensures that project is not deleted until it is not referenced by any application
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: Project for user applications
+  sourceRepos:
+  - '*'
+  destinations:
+  - namespace: '*'
+    server: '*'
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'

state/gullfaxi/system-application.yaml

@@ -12,13 +12,10 @@ spec:
   project: default
   source:
     repoURL: git@github.com:amkartashov/gf-k8s.git
-    path: state/gullfaxi
+    path: state/gullfaxi/system/
-    targetRevision: master
+    targetRevision: main
     directory:
-      recurse: true
+      recurse: false
-      # manifests dir allows for nested manifests,
-      # application dir allows for stand-alone application
-      exclude: "{*/manifests/*,*/application/*}"
   syncPolicy:
     automated:
       prune: true

state/gullfaxi/system/argo-cd-application.yaml

@@ -21,6 +21,23 @@ spec:
     helm:
       releaseName: argocd
       values: |
+        configs:
+          cm:
+            url: https://argocd.ioot.xyz
+            exec.enabled: true
+            statusbadge.enabled: "true"
+            dex.config: |
+              connectors:
+              - type: github
+                id: github
+                name: GitHub
+                config:
+                  clientID: $dex.github.clientId
+                  clientSecret: $dex.github.clientSecret
+          rbac:
+            policy.csv: |
+              # sub for amkartashov github account with id 7404372
+              g, Cgc3NDA0MzcyEgZnaXRodWI, role:admin
         server:
           # https://argo-cd.readthedocs.io/en/stable/operator-manual/ingress/#ssl-passthrough-with-cert-manager-and-lets-encrypt
           ingress:
@@ -36,8 +53,3 @@ spec:
               - hosts:
                   - argocd.ioot.xyz
                 secretName: argocd-server-tls
-          configEnabled: true
-          config:
-            url: https://argocd.ioot.xyz
-            statusbadge.enabled: "true"
-