├── README.md ├── argocd-operator ├── base │ ├── argocd-operatorgroup.yaml │ ├── argocd-subscription.yaml │ └── kustomization.yaml └── overlays │ └── default │ ├── kustomization.yaml │ ├── namespace.yaml │ └── patch-target-namespace.yaml ├── argocd ├── base │ ├── argocd-groups.yaml │ ├── argocd.yaml │ └── kustomization.yaml └── overlays │ ├── adv-mgmt │ ├── cluster-role-binding.yaml │ ├── cluster-role.yaml │ └── kustomization.yaml │ └── default │ ├── cluster-role-binding.yaml │ └── kustomization.yaml └── setup.sh /README.md: -------------------------------------------------------------------------------- 1 | # Argo CD Setup 2 | 3 | Install Argo CD Operator `0.0.14` from manifests. 4 | 5 | # Setup 6 | 7 | 1. Login to your cluster with the `oc` cli with a user that has `cluster-admin` rights. 8 | 2. Run `./setup.sh` 9 | 10 | # Without the Script 11 | 12 | If you look at `setup.sh`, you'll see there are only two imporant `oc` commands. You can run these manually. 13 | 1. `oc apply -k argocd-operator/overlays/default` 14 | 2. Wait for the Argo CD Operator to finish installing. 15 | 3. `oc apply -k argocd/overlays/default` 16 | 17 | Done! 18 | 19 | ## Default Setup 20 | 1. OpenShift OAuth included "out of the box" 21 | 2. Custom *PersistentVolumeClaim* health check to allow *Pending* PVCs to be considered healthy. 22 | 3. Specify new `ApplicationInstanceLabelKey` that won't mess with `connect-to` annotations. 23 | -------------------------------------------------------------------------------- /argocd-operator/base/argocd-operatorgroup.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1 2 | kind: OperatorGroup 3 | metadata: 4 | annotations: 5 | olm.providedAPIs: AppProject.v1alpha1.argoproj.io,Application.v1alpha1.argoproj.io,ArgoCD.v1alpha1.argoproj.io,ArgoCDExport.v1alpha1.argoproj.io 6 | generateName: argocd- 7 | name: argocd 8 | spec: 9 | targetNamespaces: 10 | - argocd 11 | -------------------------------------------------------------------------------- /argocd-operator/base/argocd-subscription.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1alpha1 2 | kind: Subscription 3 | metadata: 4 | name: argocd-operator 5 | spec: 6 | channel: alpha 7 | installPlanApproval: Manual 8 | name: argocd-operator 9 | source: community-operators 10 | sourceNamespace: openshift-marketplace 11 | startingCSV: argocd-operator.v0.0.14 12 | -------------------------------------------------------------------------------- /argocd-operator/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | # No luck getting this to work so use patches in overlays, kustomize mentions variable 5 | # substitution onluy supported in certain places. Re-visit when have more time 6 | # vars: 7 | # - name: NAMESPACE 8 | # objref: 9 | # apiVersion: operators.coreos.com/v1 10 | # kind: OperatorGroup 11 | # name: argocd 12 | # fieldref: 13 | # fieldpath: metadata.name 14 | 15 | resources: 16 | - argocd-operatorgroup.yaml 17 | - argocd-subscription.yaml -------------------------------------------------------------------------------- /argocd-operator/overlays/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: argocd 5 | 6 | bases: 7 | - ../../base 8 | - github.com/redhat-canada-gitops/catalog/installplan-approver/base 9 | 10 | resources: 11 | - namespace.yaml 12 | 13 | patchesStrategicMerge: 14 | - patch-target-namespace.yaml -------------------------------------------------------------------------------- /argocd-operator/overlays/default/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | annotations: 5 | openshift.io/description: "ArgoCD project for gitops" 6 | openshift.io/display-name: "ArgoCD" 7 | name: argocd -------------------------------------------------------------------------------- /argocd-operator/overlays/default/patch-target-namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: operators.coreos.com/v1 2 | kind: OperatorGroup 3 | metadata: 4 | name: argocd 5 | spec: 6 | targetNamespaces: 7 | - argocd -------------------------------------------------------------------------------- /argocd/base/argocd-groups.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: user.openshift.io/v1 2 | kind: Group 3 | metadata: 4 | name: argocdadmins 5 | users: 6 | - admin 7 | --- 8 | apiVersion: user.openshift.io/v1 9 | kind: Group 10 | metadata: 11 | name: argocdusers -------------------------------------------------------------------------------- /argocd/base/argocd.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: argoproj.io/v1alpha1 2 | kind: ArgoCD 3 | metadata: 4 | name: argocd 5 | labels: 6 | profile: redhat-canada-gitops 7 | spec: 8 | server: 9 | insecure: true 10 | route: 11 | enabled: true 12 | tls: 13 | termination: edge 14 | insecureEdgeTerminationPolicy: Redirect 15 | dex: 16 | image: quay.io/redhat-cop/dex 17 | version: v2.22.0-openshift 18 | openShiftOAuth: true 19 | applicationInstanceLabelKey: argocd.argoproj.io/instance 20 | resourceCustomizations: | 21 | bitnami.com/SealedSecret: 22 | health.lua: | 23 | hs = {} 24 | if obj.status ~= nil then 25 | if obj.status.conditions ~= nil then 26 | for i, condition in ipairs(obj.status.conditions) do 27 | if condition.type == "Synced" and condition.status == "False" then 28 | hs.status = "Degraded" 29 | hs.message = condition.message 30 | return hs 31 | end 32 | if condition.type == "Synced" and condition.status == "True" then 33 | hs.status = "Healthy" 34 | hs.message = condition.message 35 | return hs 36 | end 37 | end 38 | end 39 | end 40 | hs.status = "Progressing" 41 | hs.message = "Waiting for sync status" 42 | return hs 43 | build.openshift.io/BuildConfig: 44 | ignoreDifferences: | 45 | jsonPointers: 46 | - /status/lastVersion 47 | route.openshift.io/Route: 48 | ignoreDifferences: | 49 | jsonPointers: 50 | - /status/ingress 51 | /ServiceAccount: 52 | ignoreDifferences: | 53 | jsonPointers: 54 | - /imagePullSecrets 55 | PersistentVolumeClaim: 56 | health.lua: | 57 | hs = {} 58 | if obj.status ~= nil then 59 | if obj.status.phase ~= nil then 60 | if obj.status.phase == "Pending" then 61 | hs.status = "Healthy" 62 | hs.message = obj.status.phase 63 | return hs 64 | end 65 | if obj.status.phase == "Bound" then 66 | hs.status = "Healthy" 67 | hs.message = obj.status.phase 68 | return hs 69 | end 70 | end 71 | end 72 | hs.status = "Progressing" 73 | hs.message = "Waiting for certificate" 74 | return hs 75 | Job: 76 | health.lua: | 77 | hs = {} 78 | if obj.status ~= nil then 79 | if obj.status.active ~= nil then 80 | if obj.status.active == "1" then 81 | hs.status = "Progressing" 82 | hs.message = obj.status.active .. " active job(s)." 83 | return hs 84 | end 85 | end 86 | if obj.status.succeeded ~= nil then 87 | if obj.status.succeeded == 1 then 88 | hs.status = "Healthy" 89 | hs.message = "Job completed successfully." 90 | return hs 91 | end 92 | end 93 | end 94 | hs.status = "Progressing" 95 | hs.message = "Waiting for Job to complete." 96 | return hs 97 | resourceExclusions: | 98 | - apiGroups: 99 | - tekton.dev 100 | kinds: 101 | - PipelineRun 102 | - apiGroups: 103 | - compliance.openshift.io 104 | kinds: 105 | - ComplianceCheckResult 106 | - ComplianceRemediation 107 | rbac: 108 | defaultPolicy: role:readonly 109 | policy: | 110 | g, argocdadmins, role:admin 111 | g, argocdusers, role:readonly 112 | scopes: "[groups]" 113 | -------------------------------------------------------------------------------- /argocd/base/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | # At some point make namespace configurable in overlays 5 | namespace: argocd 6 | 7 | resources: 8 | - argocd.yaml 9 | - argocd-groups.yaml 10 | 11 | -------------------------------------------------------------------------------- /argocd/overlays/adv-mgmt/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRoleBinding 3 | metadata: 4 | name: argocd-application-controller-custom-role-binding 5 | roleRef: 6 | apiGroup: rbac.authorization.k8s.io 7 | kind: ClusterRole 8 | name: argocd-custom-cluster-role 9 | subjects: 10 | - kind: ServiceAccount 11 | name: argocd-application-controller 12 | namespace: argocd 13 | -------------------------------------------------------------------------------- /argocd/overlays/adv-mgmt/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: rbac.authorization.k8s.io/v1 2 | kind: ClusterRole 3 | metadata: 4 | name: argocd-custom-cluster-role 5 | rules: 6 | - apiGroups: 7 | - "" 8 | resources: 9 | - namespaces 10 | - resourcequotas 11 | - limitranges 12 | - secrets 13 | - serviceaccounts 14 | verbs: 15 | - '*' 16 | - apiGroups: 17 | - apps 18 | resources: 19 | - deployments 20 | verbs: 21 | - '*' 22 | - apiGroups: 23 | - bitnami.com 24 | resources: 25 | - sealedsecrets 26 | verbs: 27 | - '*' 28 | - apiGroups: 29 | - user.openshift.io 30 | resources: 31 | - groups 32 | verbs: 33 | - '*' 34 | - apiGroups: 35 | - rbac.authorization.k8s.io 36 | resources: 37 | - clusterroles 38 | - clusterrolebindings 39 | - roles 40 | - rolebindings 41 | verbs: 42 | - '*' 43 | - apiGroups: 44 | - config.openshift.io 45 | resources: 46 | - oauths 47 | verbs: 48 | - '*' 49 | - apiGroups: 50 | - apiextensions.k8s.io 51 | resources: 52 | - customresourcedefinitions 53 | verbs: 54 | - '*' 55 | - apiGroups: 56 | - operators.coreos.com 57 | resources: 58 | - subscriptions 59 | - operatorgroups 60 | verbs: 61 | - '*' 62 | - apiGroups: 63 | - security.openshift.io 64 | resources: 65 | - securitycontextconstraints 66 | verbs: 67 | - '*' 68 | 69 | -------------------------------------------------------------------------------- /argocd/overlays/adv-mgmt/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: argocd 5 | 6 | bases: 7 | - ../../base 8 | 9 | resources: 10 | - cluster-role.yaml 11 | - cluster-role-binding.yaml -------------------------------------------------------------------------------- /argocd/overlays/default/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | metadata: 4 | name: argocd-application-controller-cluster-admin 5 | subjects: 6 | - kind: ServiceAccount 7 | name: argocd-application-controller 8 | namespace: argocd 9 | roleRef: 10 | apiGroup: rbac.authorization.k8s.io 11 | kind: ClusterRole 12 | name: cluster-admin -------------------------------------------------------------------------------- /argocd/overlays/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | namespace: argocd 5 | 6 | bases: 7 | - ../../base 8 | 9 | resources: 10 | - cluster-role-binding.yaml -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | LANG=C 4 | SLEEP_SECONDS=45 5 | 6 | echo "" 7 | echo "Creating ArgoCD Project" 8 | # Avoids weird race condition where sometimes two installplans get created 9 | oc new-project argocd 10 | sleep 2 11 | 12 | echo "" 13 | echo "Installing Argo CD Operator." 14 | 15 | oc apply -k argocd-operator/overlays/default 16 | 17 | echo "Pause $SLEEP_SECONDS seconds for the creation and approval of the InstallPlan." 18 | sleep $SLEEP_SECONDS 19 | 20 | oc rollout status deploy/argocd-operator -n argocd 21 | 22 | echo "Listing Argo CD CRDs." 23 | oc get crd | grep argo 24 | 25 | 26 | echo "Deploying Argo CD instance" 27 | 28 | oc apply -k argocd/overlays/default 29 | 30 | echo "Waiting for Argo CD server to start..." 31 | 32 | sleep $SLEEP_SECONDS 33 | 34 | oc rollout status deploy/argocd-server -n argocd 35 | 36 | echo "Argo CD ready!" --------------------------------------------------------------------------------