ArgoCD

1、安装

# 从github下载包
修改install.yaml中的镜像地址为自己的镜像地址
kubectl apply -f install.yaml # 若要部署在别的ns请确保基于rbac的授权是正确的
# 下载cli包
https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
# 初始化密码
argocd admin initial-password
# 通过svc暴露argocd服务
登录后更改argocd密码

2、使用

2.1 新建app

# 登录argocd将git仓库和kubernetes集群配置

3、命令

3.1 app

# 获取已创建app信息
argo app get $app_name

3.2 用户

# 获取用户
argocd account list
argocd account get --account <username>
# 登录
#  设置账号密码
argocd account update-password \
  --account <name> \
  --current-password <current-user-password> \
  --new-password <new-user-password>
#  生成身份令牌
argocd account generate-token --account <username>
# 生成tls-secret
kubectl create -n argocd secret tls argocd-server-tls \
  --cert=/path/to/cert.pem \
  --key=/path/to/key.pem

4、概念

4.1 架构

image-20230914134621303

# api服务器
一般指k8s集群,使用svc或者ingress,istio,nodeport等方式暴露出去
功能:
    app管理和状态查看
    调用应用程序操作(例如同步、回滚、用户定义的操作)
    存储库和集群凭据管理(存储为 K8s secret)
    对外部身份提供程序进行身份验证和身份验证委派
    RBAC 授权
    Git webhook事件的侦听/转发
# 存储库服务器
一般指gitlab
功能:
	生成和管理k8s集群所需要的资源清单比如
	仓库地址
	版本信息(提交、标记、分支)
    应用程序地址
    模板设置:参数、helm变量等
# 控制器
一般是opretor属于k8s集群的概念,用来对某资源对象做持续监控并使其达到预期状态

5、配置

5.1 cm和secret

#包含仓库,app等的配置,主要是权限,秘钥,配置文件等的定义

# argocd-cm 
kubectl get cm -n argocd-cm -oyaml
定义了argocd的通用配置

# my-private-repo / istio-helm-repo / private-helm-repo / private-repo
定义了使用的仓库的信息配置,属于secret

# argoproj-https-creds / argoproj-ssh-creds / github-creds / github-enterprise-creds
secret 存储了仓库的ssh秘钥等凭据信息

# Argocd-cmd-params-cm
存储了env变量信息

# argocd-secret
存储了argocd所用的证书,比如签名证书,webhook,用户账号密码等

# Argocd-RBAC-CM
存储了rbac配置

# argocd-tls-certs-cm
存储了tls通信所用的文件信息

# argocd-ssh-known-hosts-cm
存储了git存储仓库的信息

5.2 api

5.2.1 app

# 定义一个应用
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: argocd
  finalizers: # 指定回收机制进行级联删除
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source: #对 Git 中所需状态的引用(存储库、修订版、路径、环境)
    repoURL: http://172.31.3.155/guquanheng/argo.git
    targetRevision: HEAD
    path: test1
  destination: # 对目标集群和命名空间的引用
    server: https://172.31.3.10:6443
    namespace: argocd
---
# helm仓库需要将path换为chart路径
spec:
  source:
    repoURL: https://argoproj.github.io/argo-helm
    chart: argo

5.2.2 AppProject

# 定义一个应用项目
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: test1
  namespace: argocd
  # Finalizer that ensures that project is not deleted until it is not referenced by any application
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  description: Example Project
  # Allow manifests to deploy from any Git repos
  sourceRepos: # 对项目中的app可以从中提取清单的仓库的引用定义
  - '*'
  # Only permit applications to deploy to the guestbook namespace in the same cluster
  destinations: # 引用项目中的应用程序可以部署到的群集和命名空间
  - namespace: argocd
    server: https://172.31.3.10:6443
  # Deny all cluster-scoped resources from being created, except for Namespace
  clusterResourceWhitelist: # 定义了集群资源有哪些可以被使用 
  - group: ''
    kind: Namespace
  # Allow all namespaced-scoped resources to be created, except for ResourceQuota, LimitRange, NetworkPolicy
  namespaceResourceBlacklist:
  - group: ''
    kind: ResourceQuota
  - group: ''
    kind: LimitRange
  - group: ''
    kind: NetworkPolicy
  # Deny all namespaced-scoped resources from being created, except for Deployment and StatefulSet
  namespaceResourceWhitelist:
  - group: 'apps'
    kind: Deployment
  - group: 'apps'
    kind: StatefulSet
  roles: # 定义对项目中资源的访问权限的定义
  # A role which provides read-only access to all applications in the project
  - name: read-only
    description: Read-only privileges to my-project
    policies:
    - p, proj:my-project:read-only, applications, get, my-project/*, allow
    groups:
    - my-oidc-group
  # A role which provides sync privileges to only the guestbook-dev application, e.g. to provide
  # sync privileges to a CI system
  - name: ci-role
    description: Sync privileges for guestbook-dev
    policies:
    - p, proj:my-project:ci-role, applications, sync, my-project/guestbook-dev, allow
    # NOTE: JWT tokens can only be generated by the API server and the token is not persisted
    # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
    jwtTokens:
    - iat: 1535390316

5.2.3 Repositories

5.2.3.1 https

apiVersion: v1
kind: Secret
metadata:
  name: private-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: https://github.com/argoproj/private-repo
  password: my-password
  username: my-username

5.2.3.2 ssh

apiVersion: v1
kind: Secret
metadata:
  name: private-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: git@github.com:argoproj/my-private-repository
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----

5.2.3.3 Helm Chart Repositories

apiVersion: v1
kind: Secret
metadata:
  name: istio
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  name: istio.io
  url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
  type: helm
---
apiVersion: v1
kind: Secret
metadata:
  name: argo-helm
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  name: argo
  url: https://argoproj.github.io/argo-helm
  type: helm
  username: my-username
  password: my-password
  tlsClientCertData: ...
  tlsClientCertKey: ...

5.3 tls配置

5.3.1 argocd-server

# 通过命令行来设置
--insecure	false # 忽略tls 
--tlsminversion	1.2 # 指定tls最小版本
--tlsmaxversion	1.3 # 指定tls最大版本
--tlsciphers	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384 # 指定tls所用密码组件

6、用户管理

6.1 新建用户

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  # add an additional local user with apiKey and login capabilities
  #   apikes - 允许使用api进行登录
  #   login - 允许登录ui界面
  accounts.alice: apiKey, login 
  # disables user. 默认开启
  accounts.alice.enabled: "false"

6.2 禁止admin用户

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  admin.enabled: "false"

6.3 限制登录失败用户

ARGOCD_SESSION_FAILURE_MAX_FAIL_COUNT 最大失败登录次数
ARGOCD_SESSION_FAILURE_WINDOW_SECONDS 连续 10 次登录失败后等待时间设置为0则拒绝此用户登录
ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT 登录并发数设置

6.4 设置认证方式

6.4.1 基于rbac的认证

...
data:
  policy.csv: |
    p, <role/user/group>权限, <resource>资源, <action>动作, <object>对象 # 除特定于应用程序的权限之外的所有资源
    p, <role/user/group>权限, <resource>资源, <action>动作, <appproject>/<object>项目/对象 #应用程序、应用程序集、日志和可执行文件 属于AppProject
    g, argocd-global-admins, role:admin
  policy.default: role:readonly|admin #对所有资源的只读访问权限|所有权限
  # essential to get argo to use groups for RBAC:
  scopes: '[http://your.domain/groups, email]' 
...

资源: clusters projects applications applicationsets repositories certificates accountsgpgkeys logs exec extensions
动作: get create update delete sync override action/<group/kind/action-name>
YAML 复制 全屏

7、实现基于tekton和argo的cicd

7.1 新建一个helm包

# 本文使用nginx
helm create nginx # 使用helm生成模版,基于此可以进行改动

7.2 上传代码到git仓库
 
 
posted @ 2024-07-30 00:45  牧之丨  阅读(9)  评论(0编辑  收藏  举报