Argo cd

rest_api_url https://argocd.example.com/swagger-ui#

argocd plugin

Plugin 是argocd的精髓,你可以大胆的想象,没有它做不到的,例如你集成kubevela or ansbile 等等,只需要在 argocd-repo-server 中安装此工具即可。 Plugin 详细信息 系统变量

1
2
3
4
5
6
7
8
9

# argocd-cm configmap
  configManagementPlugins: |
    - name: helm
      init:
        command: ["/bin/bash", "-c"]
        args: ["cat ../values.yaml >>values.yaml"]
      generate:
        command: ["/bin/bash", "-c"]
        args: ["helm template $ARGOCD_APP_NAME ."]  #这个阶段的输出,都会被提交到k8s生成资源

Git webhook

Webhook 详细信息 默认 Argocd 每三分钟检查git与部署资源是否有差异

1
2
3
4
5
6
7
8
9

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
  namespace: argocd
type: Opaque
stringData:
  # gitlab webhook secret
  webhook.gitlab.secret: shhhh! it's a gitlab secret

Rbac

创建用户alice

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
...
data:
  # role name is alice
  accounts.alice: apiKey, login
  # disables user. User is enabled by default
  accounts.alice.enabled: "false"

Modify user password

1
2
3
4

argocd account update-password \
  --account <name> \
  --current-password <current-admin> \
  --new-password <new-user-password>

forgot admin password

生成密码

1
2
3
4
5
6
7
8

# password: cloudnative
# 官方示例:https://github.com/argoproj/argo-cd/blob/master/docs/faq.md#i-forgot-the-admin-password-how-do-i-reset-it
kubectl -n argocd patch secret argocd-secret \
  -p '{"stringData": {
    "admin.password": "$2a$10$f5lYCo9er3MEV1XIFbTlaeCQMYdZQnc.fPnu86LFlE0vHz.NmPHte",
    "admin.passwordMtime": "'$(date +%FT%T%Z)'"
  }}'

Argocd login with gitlab

创建 Client id&secret 创建&其它登陆平台接入 Application具备read_useropenid 权限
argo cd官方示例

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

# argocd-cm configmap 
  url: https://you.argocd.com
  dex.config: |-
    connectors:
      - type: gitlab
        id: gitlab
        name: Gitlab
        config:
          baseURL: http://you.gitlab.com
          clientID: 8a036d7d630f48647147c601bcb256a374817dcf724aeed83c3cead80a803a51
          clientSecret: 5aec258e1b653951b93359d5daaf7306eda50976d778b1d02c447b09d8232045
          # 可填可不填,argo会根据url拼接 redirectURI
          redirectURI: https://you.argocd.com/api/dex/callback

Custom rbac policy

Resources: clusters projects applications repositories certificates
Actions: get create update delete sync override action

Applications (which belong to a project):
p, <user/group>, <resource>, <action>, <project>/<object>

All other resources:
p, <user/group>, <resource>, <action>, <object>

限定cloudnative只可以 sync business project下的 iauth 应用
p, role:cloudnative, applications, sync, business/iauth, allow

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  # 设置后,除了admin,全部只读,可以使用rbac定义权限
  policy.default: role:readonly
  policy.csv: |
    p, role:cloudnative, applications, *, */*, allow
    p, role:cloudnative, clusters, get, *, allow
    p, role:cloudnative, repositories, get, *, allow
    p, role:cloudnative, repositories, create, *, allow
    p, role:cloudnative, repositories, update, *, allow
    p, role:cloudnative, repositories, delete, *, allow
    #  gitlab_group/sub_group
    g, cloudnative/kubernetes, role:cloudnative
    # 上述argocm-cm中定义的角色
    g, alice, role:cloudnative

backup

1
2

# 需要在argocd server中执行
kubectl exec -it -n argocd argocd-server-7b798db89f-gw2jr -- argocd-util export > backup.yaml

restore

1
2
3
4
5

kubectl exec -it -n argocd argocd-server-7b798db89f-gw2jr -- argocd-util import - < backup.yaml

or

kubectl -n argocd apply -f backup.yaml