argocd使用

operator安装(网络因素未成功)

官网,HA 可参考官网

argocd 官网eg

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml  #未直接使用官网需要添加集群IP端口变量

3个组件需要添加

     containers:
      - command:
        - entrypoint.sh
        - argocd-applicationset-controller
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: "172.25.32.231"
        - name: KUBERNETES_SERVICE_PORT
          value: "6443"


      containers:
      - command:
        - argocd-server
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: "172.25.32.231"
        - name: KUBERNETES_SERVICE_PORT
          value: "6443"

# 这个是statefulset 需要删除pods 重新生成pod才能加载到配置 kubectl -n argocd  delete pod argocd-application-controller-0

      containers:
      - command:
        - argocd-application-controller
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: "172.25.32.231"
        - name: KUBERNETES_SERVICE_PORT
          value: "6443"

 argo-server必须启用insecure

kubectl -n argocd edit deployment argocd-server
      containers:
      - command:
        - argocd-server
        - --insecure      #不启用走ingress代理数据根本进不来报错网关错误，只能用nodePort

创建证书

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=argocd.gateway.com"
kubectl create secret tls argocd-tls --cert=tls.crt --key=tls.key --namespace=argocd

创建sans证书

#解决 certificate had error: x509: certificate relies on legacy Common Name field, use SANs instead
cat ca-csr.json 
{
  "CN": "ingress",
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "k8s",
      "OU": "System"
    }
  ],
  "ca": {
    "expiry": "131400h" 
  }
}
#生成基础ca证书
cfssl gencert -initca ca-csr.json | cfssl-json -bare ca

[root@k8s01 cert]# cat ca-config.json 
{
  "signing": {
    "default": {
      "expiry": "87600h"
    },
    "profiles": {
      "ingress": {
        "usages": [
            "signing",
            "key encipherment",
            "server auth",
            "client auth"
        ],
        "expiry": "87600h"
      }
    }
  }
}


{
  "CN": "gateway",
  "hosts": [          
    "*.gateway.com",
    "127.0.0.1"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [
    {
      "C": "CN",
      "ST": "HangZhou",
      "L": "XS",
      "O": "k8s",
      "OU": "System"
    }
  ]
}


生成证书
cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -profile=ingress ingress-crs.json |cfssl-json -bare ingress
添加证书
kubectl create secret tls argocd-sans --cert=ingress.pem --key=ingress-key.pem --namespace=argocd

 

traefik配置路由 其他ingress参考官网

apiVersion: traefik.containo.us/v1alpha1 
kind: Middleware 
metadata: 
  name: redirect-https 
  namespace: argocd 
spec: 
  redirectScheme: 
    scheme: https 

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: argocd
  namespace: argocd
spec:
  entryPoints:
    - web
  routes:
    - match: HOST(`argocd.gateway.com`)  
      kind: Rule
      priority: 10 
      middlewares: 
        - name: redirect-https 
      services:
        - name: argocd-server
          port: http
          scheme: h2c 

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: argocd-tls
  namespace: argocd
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`argocd.gateway.com`)
      priority: 10
      services:
        - name: argocd-server
          port: 80
    - kind: Rule
      match: Host(`argocd.gateway.com`) && Headers(`Content-Type`, `application/grpc`)
      priority: 11
      services:
        - name: argocd-server
          port: 80
          scheme: h2c
  tls:
    certResolver: default
    # 或secretName: argocd-tls

 获取初始密码

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo

 下载cli工具

curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v2.4.11/argocd-linux-amd64&&chmod +x /usr/local/bin/argocd

 配置nginx代理到ingress暴露的nodeport端口(server argocd-gprc.gateway.com)

upstream ingress-gw {
    server 172.25.32.231:38000 fail_timeout=3;
    server 172.25.32.232:38000 fail_timeout=3;
    server 172.25.32.233:38000 fail_timeout=3;
}

upstream servers {
    server 172.25.32.231:38443;
    server 172.25.32.232:38443;
    server 172.25.32.233:38443;
}

upstream tls-gw {
    server 172.25.32.231:38443 fail_timeout=3;
    server 172.25.32.232:38443 fail_timeout=3;
    server 172.25.32.233:38443 fail_timeout=3;
}

server {
    listen 80;
    server_name *.gateway.com;

    access_log  /var/log/nginx/ingress.gateway.com.log  main;
    keepalive_timeout 5;
    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_connect_timeout 75s;
        proxy_read_timeout 300s;
        proxy_pass http://ingress-gw;
        }
}

server {
   listen               443 ssl;
   server_name          *.gateway.com;
   ssl_certificate      ssl/ingress.pem;
   ssl_certificate_key  ssl/ingress-key.pem;
   ssl_protocols TLSv1.1 TLSv1.2;
   ssl_ciphers  ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES;
   ssl_prefer_server_ciphers on;

   access_log /var/log/nginx/ingress.gateway.com.access-443.log main;
   error_log  /var/log/nginx/ingress.gateway.com.error-443.log crit;

   #include /etc/nginx/conf.d/ingress.gatway.blacklist;  #内容    deny 192.168.10.1;

   location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_connect_timeout 75s;
        proxy_read_timeout 300s;
        proxy_pass https://tls-gw;
        }
}

server {
   listen               443 http2;  # gprc是基于http2协议   443 ssl走https
   server_name          argocd-gprc.gateway.com;
   ssl_certificate      ssl/ingress.pem;
   ssl_certificate_key  ssl/ingress-key.pem;
   ssl_protocols TLSv1.1 TLSv1.2;
   ssl_ciphers  ECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES;
   ssl_prefer_server_ciphers on;

   access_log /var/log/nginx/ingress.gprc.gateway.com.access-443.log main;
   error_log  /var/log/nginx/ingress.gprc.gateway.com.error-443.log crit;
   #include /etc/nginx/conf.d/ingress.gatway.blacklist;  #内容    deny 192.168.10.1;
   location / {
        grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        grpc_set_header Host $http_host;   #gprc_set_header不透传，后端RequestHost是servers，最终导致ingress匹配不到路由
        grpc_pass grpcs://servers;

        }
}

验证登录成功

 配置 gitlab认证

web ui :  Settings/Repositories

创建个helm 应用

#deployment
argocd app create nginx-demo --repo http://xxx/yw-ops/argocd-projects.git --path deloyment/nginx-demo --dest-server https://kubernetes.default.svc --dest-namespace test --project hello-world

#helm
argocd app create hello-world3 --repo http://gitlab.xxx,com/yw-ops/argocd-projects.git --path helm/hello-world --dest-server https://kubernetes.default.svc --dest-namespace test --project hello-world

#app of apps
argocd app create appofapps --repo http://xxx/yw-ops/argocd-projects.git --path apps/helm-apps --dest-server https://kubernetes.default.svc --dest-namespace test --project hello-world --sync-policy automated


##如果报错 FATA[0000] rpc error: code = InvalidArgument desc = application spec for hello-world3 is invalid: InvalidSpecError: application destination {https://kubernetes.default.svc test} is not permitted in project 'hello-world'
# 添加项目
argocd proj add-destination hello-world https://kubernetes.default.svc test

 

 获取资源

kubectl -n argocd get application
kubectl -n argocd get appproject
kubectl -n argocd get applicationset