├── .github └── workflows │ └── publish.yaml ├── Dockerfile ├── LICENSE ├── README.md ├── _config.yml ├── examples ├── harbor.md ├── nexus.md ├── skywalking.md └── sonarqube.md └── translation └── argocd-v2.6-release-candidate.md /.github/workflows/publish.yaml: -------------------------------------------------------------------------------- 1 | name: Publish 2 | 3 | on: 4 | schedule: 5 | - cron: "0 16 * * *" 6 | workflow_dispatch: 7 | 8 | env: 9 | REGISTRY: ghcr.io 10 | IMAGE_NAME: ${{ github.repository }} 11 | 12 | jobs: 13 | image: 14 | runs-on: ubuntu-20.04 15 | steps: 16 | - name: Checkout 17 | uses: actions/checkout@v3.0.0 18 | - name: Setup Docker buildx 19 | uses: docker/setup-buildx-action@79abd3f86f79a9d68a23c75a09a9a85889262adf 20 | - name: Log into registry ${{ env.REGISTRY }} 21 | if: github.event_name != 'pull_request' 22 | uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c 23 | with: 24 | registry: ${{ env.REGISTRY }} 25 | username: ${{ github.actor }} 26 | password: ${{ secrets.GH_PUBLISH_SECRETS }} 27 | - name: Extract Docker metadata 28 | id: meta 29 | uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 30 | with: 31 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 32 | - name: Build and push Docker image 33 | id: build-and-push 34 | uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a 35 | with: 36 | context: . 37 | push: ${{ github.event_name != 'pull_request' }} 38 | tags: ${{ steps.meta.outputs.tags }} 39 | labels: ${{ steps.meta.outputs.labels }} 40 | cache-from: type=gha 41 | cache-to: type=gha,mode=max 42 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ghcr.io/linuxsuren/hd:v0.0.70 2 | 3 | RUN hd i kubernetes-sigs/kubectl 4 | RUN hd get https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml 5 | 6 | CMD ["kubectl", "apply", "--namespace", "argocd", "-f", "install.yaml"] 7 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Rick 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Argo CD Guide 2 | 3 | [Argo CD](https://argo-cd.readthedocs.io/) 是基于 [Kubernetes](https://kubernetes.io/) 的申明式、GitOps 持续部署工具。 4 | 5 | 本教程可以通过 [mde](https://github.com/LinuxSuRen/md-exec) 实现交互式体验。 6 | 7 | ## 安装 8 | 首先,你需要有一套 [Kubernetes](https://github.com/kubernetes/kubernetes/) 环境。下面的工具可以帮助你快速按照好一套 Kubernetes 环境: 9 | 10 | > 推荐使用 [hd](https://github.com/LinuxSuRen/http-downloader) 安装下面的工具 11 | > 12 | > 安装 `hd` 的命令为:`curl https://linuxsuren.github.io/tools/install.sh|bash` 13 | 14 | | 工具 | 工具安装 |使用 | 15 | |---|---|---| 16 | | [k3d](https://k3d.io/) | `hd i k3d` | `k3d cluster create` | 17 | | [kubekey](https://github.com/kubesphere/kubekey) | `hd i kk` | `kk create cluster` | 18 | | [minikube](https://github.com/kubernetes/minikube) | `hd i minikube` | `minikube start` | 19 | 20 | ```shell 21 | #!title: Install K3d 22 | hd i k3d 23 | ``` 24 | 25 | ```shell 26 | #!title: Reinstall K3d cluster 27 | k3d cluster delete 28 | k3d cluster create 29 | ``` 30 | 31 | 当 Kubernetes 环境就绪后,就可以通过下面的命令会在命名空间(`argo`)下安装最新版本的 `Argo CD`: 32 | 33 | ```shell 34 | #!title: Install ArgoCD 35 | kubectl create namespace argocd || true 36 | hd get https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml 37 | kubectl apply -n argocd -f install.yaml || rm -rf install.yaml 38 | rm -rf install.yaml 39 | ``` 40 | 41 | 如果你的环境访问 GitHub 时有网络问题,可以使用下面的命令来安装: 42 | 43 | ```shell 44 | docker run -it --rm -v /root/.kube/:/root/.kube --network host --pull always ghcr.io/linuxsuren/argo-cd-guide:master 45 | ``` 46 | 47 | 查看初始化密码: 48 | ```shell 49 | #!title: Get Password 50 | kubectl -n argocd get secret argocd-initial-admin-secret -ojsonpath={.data.password} | base64 -d 51 | ``` 52 | 53 | 设置访问方式: 54 | ```shell 55 | kubectl -n argocd patch svc argocd-server --type='json' -p '[{"op":"replace", "path":"/spec/type", "value":"NodePort"}, {"op":"add", "path":"/spec/ports/0/nodePort","value":31518}]' 56 | # 暴露 k3d 端口 57 | k3d node edit k3d-k3s-default-serverlb --port-add 31518:31518 58 | ``` 59 | 60 | 推荐使用的工具: 61 | 62 | |||| 63 | |---|---|---| 64 | | [k9s](https://k9scli.io/) | `hd i k9s` | K9s is a terminal based UI to interact with your Kubernetes clusters. | 65 | | `argocd` | `hd i argoproj/argo-cd` | | 66 | 67 | ## 最佳实践 68 | 为了确保 YAML 格式正确,可以使用 [kubeconform](https://github.com/yannh/kubeconform) 对 [Argo CD 的 JSON SChema](https://github.com/argoproj/argo-cd/issues/9348) 进行校验。 69 | 70 | ## 一个简单的示例 71 | 执行下面的命令后 72 | 73 | ```shell 74 | #!title: Create A Sample App +f 75 | cat < 截至 v2.5.2 Argo CD 界面还支持添加 Helm 类型的仓库,可以通过命令行或者 YAML 的方式来添加。 167 | 168 | ```yaml 169 | apiVersion: v1 170 | data: 171 | enableOCI: dHJ1ZQ== 172 | name: c2staGVsbQ== 173 | project: ZGVmYXVsdA== 174 | type: aGVsbQ== 175 | url: cmVnaXN0cnktMS5kb2NrZXIuaW8= 176 | kind: Secret 177 | metadata: 178 | labels: 179 | argocd.argoproj.io/secret-type: repository 180 | name: repo-skywalking-helm 181 | namespace: argocd 182 | type: Opaque 183 | ``` 184 | 185 | OCI 类型的 Helm 仓库安装示例请查看 [examples/skywalking](examples/skywalking.md) 186 | 187 | ## Webhook 188 | TODO 189 | 190 | ``` 191 | https://ip:port/api/webhook 192 | ``` 193 | 194 | ## 配置管理插件 195 | 配置管理工具(Config Management Plugin,CMP)使得 Argo CD 可以支持 Helm、Kustomize 以外的(可转化为 Kubernetes 资源)格式。 196 | 197 | 例如:我们可以将 [GitHub Actions 的配置文件转为 Argo Workflows](https://github.com/LinuxSuRen/github-action-workflow/) 的文件,从而实现在不了解 Argo Workflows 的 `WorkflowTemplate` 写法的前提下,也可以把 Argo Workflows 作为 CI 工具。 198 | 199 | > 下面的例子中需要用到 Argo Workflows,请自行安装,或查看[这篇中文教程](https://github.com/LinuxSuRen/argo-workflows-guide)。 200 | 201 | 我们只需要将插件作为 sidecar 添加到 `argocd-repo-server` 即可。下面是 sidecar 的配置: 202 | 203 | ```yaml 204 | apiVersion: apps/v1 205 | kind: Deployment 206 | metadata: 207 | name: argocd-repo-server 208 | namespace: argocd 209 | spec: 210 | template: 211 | spec: 212 | containers: 213 | - args: 214 | - --loglevel 215 | - debug 216 | command: 217 | - /var/run/argocd/argocd-cmp-server 218 | image: ghcr.io/linuxsuren/github-action-workflow:master 219 | imagePullPolicy: IfNotPresent 220 | name: tool 221 | resources: {} 222 | securityContext: 223 | runAsNonRoot: true 224 | runAsUser: 999 225 | volumeMounts: 226 | - mountPath: /var/run/argocd 227 | name: var-files 228 | - mountPath: /home/argocd/cmp-server/plugins 229 | name: plugins 230 | ``` 231 | 232 | 然后,再添加如下 Argo CD Application 后,我们就可以看到已经有多个 Argo Workflows 被创建出来了。 233 | 234 | ```yaml 235 | apiVersion: argoproj.io/v1alpha1 236 | kind: Application 237 | metadata: 238 | name: yaml-readme 239 | namespace: argocd 240 | spec: 241 | destination: 242 | namespace: default 243 | server: https://kubernetes.default.svc 244 | project: default 245 | source: 246 | path: .github/workflows/ # It will generate multiple Argo CD application manifests 247 | # base on YAML files from this directory. 248 | # Please make sure the path ends with slash. 249 | plugin: {} # Argo CD will choose the corresponding CMP automatically 250 | repoURL: https://gitee.com/linuxsuren/yaml-readme # a sample project for discovering manifests 251 | targetRevision: HEAD 252 | syncPolicy: 253 | automated: 254 | selfHeal: true 255 | ``` 256 | 257 | 由于用到 PVC 作为 Pod 之间的共享存储,我们还需要安装对应的依赖。如果是测试环境,可以安装 [OpenEBS](https://openebs.io/docs/user-guides/installation)。并设置其中的 为[默认存储卷](https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/change-default-storage-class/): 258 | 259 | ```shell 260 | kubectl patch storageclass openebs-hostpath -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}' 261 | ``` 262 | 263 | 如果需要用到 Git 凭据的话,可以通过下面的命令拿到: 264 | 265 | ```shell 266 | kubectl create secret generic git-secret --from-file=id_rsa=/root/.ssh/id_rsa --from-file=known_hosts=/root/.ssh/known_hosts --dry-run=client -oyaml 267 | ``` 268 | 269 | 这一点对于 Argo Workflows 落地为持续集成(CI)工具时,非常有帮助。如果您觉得 GitHub Actions 的语法足够清晰,那么,可以直接使用上面的插件。或者,您希望能定义出更简单的 YAML,也可以自行实现插件。插件的核心逻辑就是将目标文件(集)转为 Kubernetes 的 YAML 文件,在这里就是 `WorkflowTemplate`。 270 | 271 | 如果再发散性地思考下,我们也可以通过自定义格式的 YAML(或 JSON 等任意格式)文件转为 Jenkins 可以识别的 Jenkinsfile,或其他持续集成工具的配置文件格式。 272 | 273 | ## 凭据管理 274 | 可以通过下面的命令,生成一个加密后的 Secret: 275 | ```shell 276 | kubectl create secret generic test --from-literal=username=admin --from-literal=password=admin --dry-run=client -oyaml -n default | kubeseal -oyaml 277 | ``` 278 | 279 | 下面是生成 Docker 认证信息的命令: 280 | ```shell 281 | kubectl create secret docker-registry harbor --docker-server='10.121.218.184:30002' \ 282 | --docker-username=admin --docker-password=password \ 283 | --dry-run=client -oyaml -n default | kubeseal -oyaml 284 | ``` 285 | 286 | ## 单点登录 287 | Argo CD [内置了 Dex 服务](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#dex),我们可以参考如下的配置来对接外部身份认证服务: 288 | 289 | ```yaml 290 | apiVersion: v1 291 | kind: ConfigMap 292 | metadata: 293 | name: argocd-cm 294 | namespace: argocd 295 | data: 296 | url: https://10.121.218.184:31392 # argo-cd server 的地址 297 | dex.config: | 298 | logger: 299 | level: debug 300 | connectors: 301 | - type: gitlab 302 | id: gitlab 303 | name: GitLab 304 | config: 305 | baseURL: http://10.121.218.82:6080 306 | clientID: b9119ac2313f62625d8b1e9648f7b10b9dad9c5198f19e5df731b09ffa5d008d 307 | clientSecret: a0c1bef745da758609acceb5beba3c0104f04c3b0a491aee7c7c479ed3e26309 308 | redirectURI: https://10.121.218.184:31392/api/dex/callback 309 | groups: 310 | - dev # 只允许 dev 用户组 311 | useLoginAsID: false 312 | ``` 313 | 314 | ```yaml 315 | apiVersion: v1 316 | kind: ConfigMap 317 | metadata: 318 | name: argocd-rbac-cm 319 | namespace: argocd 320 | data: 321 | policy.csv: | 322 | # 只允许 dev 组的用户查看 application 323 | p, role:org-readonly, applications, get, default/*, allow 324 | 325 | g, dev, role:org-readonly # 假如用户组名为 dev 326 | policy.default: role:org-readonly 327 | scopes: '[groups, email]' 328 | ``` 329 | 330 | 对于通用的 OAuth 认证,可以访问下面地址获取相关信息: 331 | 332 | `https://10.121.218.184:31392/api/dex/.well-known/openid-configuration` 333 | 334 | ## 多集群 335 | ```shell 336 | #!title: Create New Cluster 337 | cat <