Argocd
Initialize
We are going to use Kustomize to deploy ArgoCD
kustomization.yml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: argocd
resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/v2.7.2/manifests/install.yaml
# - repos.yml
# - argo-ingress.yml
labels:
- pairs:
app.kubernetes.io/part-of: argocd
cluster: hlab
patches:
- path: svc.yml
- path: argocd-cm.yml
- path: argocd-cmd-params-cm.yml
# - path: rbac-cm.yml
# - path: argocd-notifications-cm.yml
# generatorOptions:
# disableNameSuffixHash: true
# secretGenerator:
# - name: repo-creds
# options:
# labels:
# argocd.argoproj.io/secret-type: repo-creds
# envs:
# - creds.env
Patch
We are going to use patches in kustomize to modify the values.
svc.yml
This is how we can tell it a certain ip to use for the argocd load balancer that gets created.
This is optional but i reccomend it
apiVersion: v1
kind: Service
metadata:
name: argocd-server
spec:
loadBalancerIP: 10.10.4.210
type: LoadBalancer
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
- name: https
port: 443
protocol: TCP
targetPort: 8080
selector:
app.kubernetes.io/name: argocd-server
argocd-cm.yml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
statusbadge.enabled: "true"
exec.enabled: "true"
admin.enabled: "true"
url: "https://argocd.hlab.c0.spakl"
argocd-cmd-params-cm.yml
This will allow self service
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
data:
application.namespaces: "*"
notificationscontroller.selfservice.enabled: "true"
Apply
This will deploy the minimal ArgoCD
kubectl apply -k .
Extra
OIDC
Setup Login with roles and your users.
danger
Identity Provider Required
argocd-cm.yml
Lets add the oidc auth fields to add our provider
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
statusbadge.enabled: "true"
exec.enabled: "true"
admin.enabled: "true"
url: "https://argocd.hlab.c0.spakl"
oidc.tls.insecure.skip.verify: "true"
oidc.config: |
name: Zitadel
issuer: "https://auth.provider.com"
clientID: ""
clientSecret: ""
getUserInfo: true
requestedScopes:
- openid
- profile
- email
- groups
- offline_access
logoutURL: "https://auth.spakl.io/oidc/v1/end_session"
oidc.tls.insecure.skip.verify: "true"
rbac-cm.yml
Use the groups claim on the token to assign the roles to oidc users.
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
data:
scopes: '[groups]'
policy.csv: |
g, argocd_administrators, role:admin
g, argocd_users, role:readonly
policy.default: ''
Alerts
danger
Discord Webhook Required
argocd-notifications-cm.yml
This is still in the works, but using to make an argocd webhook for alerts to discord.
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-notifications-cm
annotations:
argocd.argoproj.io/sync-wave: "-5"
data:
## SET DEFAULTS
subscriptions: |
- recipients:
- discord
triggers:
- discord-on-deployed
- discord-on-health-degraded
- discord-on-sync-failed
- discord-on-sync-status-unknown
service.webhook.discord: |
headers:
- name: Content-Type
value: application/json
url: "https://discord.com"
template.notify-discord: |
webhook:
discord:
path: "https://discord.com/api/webhooks//"
method: POST
# "content": "{{ .app.metadata.name }}: {{ .app.status.sync.status }}",
body: |
{
"content": "# **{{ .app.metadata.name }}**\n## Status\nStatus: **{{ .app.status.sync.status }}**\nHealth: **{{ .app.status.health.status }}**\n## Sync\nSync Revision: **{{ .app.status.sync.revision }}**\nSync Started At: **{{ .app.status.operationState.startedAt }}**\nSync Finished At: **{{ .app.status.operationState.finishedAt }}**",
"embeds": [
{
"title": "Revision {{ .app.status.sync.revision }}",
"description": "commit_message: **{{ (call .repo.GetCommitMetadata .app.status.sync.revision).Message }}**",
"author": {
"name": "{{ (call .repo.GetCommitMetadata .app.status.sync.revision).Author }}"
},
"url": "{{ (trimAll ".git" .app.spec.source.repoURL) }}/-/commit/{{ .app.status.sync.revision }}"
},
{
"title": "Application Status",
"description": "{{.app.status.health.status}}"
}
]
}
template.failed-discord: |
webhook:
discord:
path: "https://discord.com/api/webhooks//"
method: POST
body: |
{
"content": "{{ .app.metadata.name }}",
"embeds": [
{
"title": "Revision {{ .app.status.sync.revision }}",
"description": "{{ (call .repo.GetCommitMetadata .app.status.sync.revision).Message }}",
"author": {
"name": "{{ (call .repo.GetCommitMetadata .app.status.sync.revision).Author }}"
},
"url": "{{ (trimAll ".git" .app.spec.source.repoURL) }}/-/commit/{{ .app.status.sync.revision }}"
}
]
}
# these are the same triggers from the catalog, but sending the custom Discord template
trigger.discord-on-deployed: |
- description: Application is synced and healthy. Triggered once per commit.
# oncePer: app.status.operationState.syncResult.revision
oncePer: app.status.sync.revision
send:
- notify-discord
when: app.status.operationState.phase in ['Succeeded'] and app.status.health.status
== 'Healthy'
trigger.discord-on-health-degraded: |
- description: Application has degraded
send:
- failed-discord
when: app.status.health.status == 'Degraded'
- description: Application has degraded
send:
- notify-discord
when: app.status.health.status == 'Degraded'
- description: Application has degraded
send:
- failed-discord
when: app.status.health.status == 'Missing'
trigger.discord-on-sync-failed: |
- description: Application syncing has failed
send:
- failed-discord
when: app.status.operationState.phase in ['Error', 'Failed']
trigger.discord-on-sync-running: |
- description: Application is being synced
send:
# - notify-discord
- failed-discord
when: app.status.operationState.phase in ['Running']
trigger.discord-on-sync-status-unknown: |
- description: Application status is 'Unknown'
send:
- notify-discord
when: app.status.sync.status == 'Unknown'
trigger.discord-on-sync-succeeded: |
- description: Application syncing has succeeded
send:
- notify-discord
when: app.status.operationState.phase in ['Succeeded']
Traefik Ingress
danger
Traefik and cert manager required!
create the argo-ingress.yml file
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: argocd-ingress
namespace: argocd
annotations:
kubernetes.io/ingress.class: traefik
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`argocd.hlab.c0.spakl`)
priority: 10
services:
- name: argocd-server
port: 443
scheme: https
- kind: Rule
match: Host(`argocd.hlab.c0.spakl`) && Header(`Content-Type`, `application/grpc`)
priority: 11
services:
- name: argocd-server
port: 443
scheme: h2c
tls:
secretName: argocd-server-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-server-tls
namespace: argocd
spec:
secretName: argocd-server-tls
issuerRef:
name: ca-issuer
kind: ClusterIssuer
ipAddresses:
- "10.10.4.210"
dnsNames:
- "argocd.hlab.c0.spakl"
Repo Creds Template
To do this we need to setup the secret generator in the kustomization.yml
kustomization.yml
generatorOptions:
disableNameSuffixHash: true
secretGenerator:
- name: repo-creds
options:
labels:
argocd.argoproj.io/secret-type: repo-creds
envs:
- creds.env
Now we need to make the creds.env file
type=git
url=https://gitlab.com/group/hlab-cluster
username=email
password=token
danger
Add to .gitignore
Repo Cred Static
Now we can make the repos.yml
repos.yml
---
apiVersion: v1
kind: Secret
metadata:
name: traefik-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: git
url: https://gitlab.com/d3vbd/hlab-cluster/traefik.git
---
apiVersion: v1
kind: Secret
metadata:
name: alloy-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: git
url: https://gitlab.com/d3vbd/hlab-cluster/alloy.git
---
apiVersion: v1
kind: Secret
metadata:
name: cert-manager-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: git
url: https://gitlab.com/d3vbd/hlab-cluster/cert-manager.git
Apply
This will deploy the Add the required credentials as a template.
kubectl apply -k .
Sync
Now we can set up a sync project, for simplicty I am going to put it in the argocd repo under the sync folder
mkdir sync
cd sync
lets make a projects folder and create the hlab argo project.
project/hlab.yml
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: hlab
spec:
sourceRepos:
- '*'
destinations:
- namespace: '*'
server: 'https://kubernetes.default.svc'
clusterResourceWhitelist:
- group: '*'
kind: '*'
warning
Add this path now to the kustomization resources:
kustomization.yml
resources:
- ...
- projects/sync.yml
Follow the same for all the sync project below!!!!!
otherwise they wont get deployed.
KubeVip
Since we have kubevip saved in a repo we can use it to dpeloy the files.
sync/kubevip.yml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubevip
namespace: argocd
annotations:
notifications.argoproj.io/subscribe.discord-on-health-degraded.discord: ""
notifications.argoproj.io/subscribe.discord-on-sync-succeeded.discord: ""
notifications.argoproj.io/subscribe.discord-on-sync-failed.discord: ""
notifications.argoproj.io/subscribe.discord-on-sync-status-unknown.discord: ""
notifications.argoproj.io/subscribe.discord-on-deployed.discord: ""
spec:
project: hlab
source:
repoURL: 'https://gitlab.com/d3vbd/hlab-cluster/kubevip.git'
targetRevision: master
path: './'
directory:
recurse: true
destination:
server: 'https://kubernetes.default.svc'
namespace: kube-system
syncPolicy:
automated: # Enables automated sync
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true # Allows ArgoCD to create the namespace if it doesn't exist.
MetalLb
We need to remove directory settings sionce we are using kustomize in the project.
sync/metallb.yml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb-sync
namespace: argocd
annotations:
notifications.argoproj.io/subscribe.discord-on-health-degraded.discord: ""
notifications.argoproj.io/subscribe.discord-on-sync-succeeded.discord: ""
notifications.argoproj.io/subscribe.discord-on-sync-failed.discord: ""
notifications.argoproj.io/subscribe.discord-on-sync-status-unknown.discord: ""
notifications.argoproj.io/subscribe.discord-on-deployed.discord: ""
spec:
project: hlab
source:
repoURL: 'https://gitlab.com/d3vbd/hlab-cluster/metallb.git'
targetRevision: master
path: './'
destination:
server: 'https://kubernetes.default.svc'
namespace: metallb-system
syncPolicy:
automated: # Enables automated sync
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true # Allows ArgoCD to create the namespace if it doesn't exist.
Apply
This will deploy the project and the deployments and now start watching for changes to the repo
kubectl apply -k .
Now to make changes to these project like metallb and kubevip, use the git repo.