四、掌握ArgoCD:安装、Gitlab集成和RBAC配置以实现无缝持续部署
啥也别问 问就是不知道
Gitlab 集成
然后点击提交(save application), 将得到应用创建后的信息:
注册完成后, 我们可以看到应用现在只有0个Clients, 即还没有任何实例作为这个Application的实例进行认证:
但不管怎么说, 应用注册这一步我们算成功完成啦! Give Me Five~
用如下命令编辑 configMap
kubectl edit configmap argocd-cm -n argocd
这里因为我将ArgoCD与个人Gitlab帐户集成,因此不需要org部分。
data: dex.config: | connectors: # GitHub example - type: gitlab id: gitlab name: Gitlab config: clientID: d67495a7d2d6d4f756040a65b2726197e603a1edfc1a615c70d915d383570a7d clientSecret: 60fba8381473ba78841499133b2f24691a2dd8c00605412a38d89f38b15a56b9 baseURL: http://101.43.196.155:32080 #GILAB 地址 redirectURI: https://101.43.196.155:32198/api/dex/callback #argocd地址 # orgs: # - name: your-github-org url: https://101.43.196.155:32198 # argocd 地址
保存后,更改应该自动生效。但是在登录的时候出现了一些问题 invalid session token: failed to verify signature: failed to verify id token signature
我们需要重启 argocd-server deployment.
kubectl rollout restart deploy argocd-server -n argocd
打开浏览器再次进入
然后返回 gitlab 查看 有一个账户已经登录成功
此时 登录 argocd 单击 LOG IN VIA GITLAB 无需密码可直接登录
RBAC
虽然现在可以登录,但是权限不够,我们需要参考 官方文档 配置RBAC权限。
不幸的是,Dex 不能将组织作为组映射/导出到ArgoCD中,只能将用户电子邮件映射到ArgoCD中。对我来说,scope参数是:'[email,groups]',所以我可以通过电子邮件将用户分配给一个角色。
kubectl edit configmap argocd-rbac-cm -n argocd # add this part apiVersion: v1 data: policy.csv: | g, admin@example.com, role:admin policy.default: role:readonly scopes: '[email, group]'
如果您是组织用户,请遵循如下所示的类似步骤。
data: scopes: '[email, group]' policy.default: role:readonly policy.csv: | p, role:readonly, applications, get, */*, allow p, role:readonly, logs, get, */*, allow p, role:readonly, applications, action/apps/Deployment/restart, */*, allow p, role:admin, applications, get, */*, allow p, role:admin, applications, update, */*, allow p, role:admin, applications, delete, */*, allow p, role:admin, applications, sync, */*, allow p, role:admin, applications, override, */*, allow p, role:admin, applications, action/*, */*, allow p, role:admin, logs, get, */*, allow p, role:admin, clusters, get, *, allow p, role:admin, projects, get, *, allow p, role:admin, repositories, get, *, allow p, role:admin, certificates, get, *, allow g, your-org:developers, role:readonly g, your-org:devops, role:admin
developersanddevopsare group in your orgnazation github.
参考
感谢阅读,如果您觉得本文的内容对您的学习有所帮助,您可以打赏和推荐,您的鼓励是我创作的动力。
第二种方法也可以实现以上单点配置 以及RBAC权限配置
比较简单 具体如下
在argocd 的安装文件 install.yam 文件中做修改
在 instal.yaml 文件的name: argocd-cm 位置
apiVersion: v1 data: dex.config: | connectors: # GitHub example - type: gitlab id: gitlab name: Gitlab config: clientID: c0b0dfe61f988f4372e5ff5b07707fb63fb8ae33360a5562180dc4a497f77e45 clientSecret: 90094cb22dbc546ea4b9754dee4405bf782136d966a3407faaacb30c5e492625 baseURL: http://101.43.196.155:32080 #GILAB 地址 redirectURI: https://101.43.196.155:32329/api/dex/callback # orgs: # - name: your-github-org url: https://101.43.196.155:32329 kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-cm app.kubernetes.io/part-of: argocd name: argocd-cm
然后修改下面的 RBAC 配置 具体如下
apiVersion: v1 data: policy.csv: | g, admin@example.com, role:admin policy.default: role:readonly scopes: '[email, group]' kind: ConfigMap metadata: labels: app.kubernetes.io/name: argocd-rbac-cm app.kubernetes.io/part-of: argocd name: argocd-rbac-cm
这两个位置修改完成后 就可以直接 部署了,当然还有其他的配置 比如集成 钉钉通知 也是在这个 install.yaml 文件里进行修改这部分回头单拿出来一篇进行记录
上述配置完成后保存退出
进行部署
kubectl apply -f new_install.yaml -n argocd
kubectl apply -f new_install.yaml -n argocd customresourcedefinition.apiextensions.k8s.io/applications.argoproj.io unchanged customresourcedefinition.apiextensions.k8s.io/applicationsets.argoproj.io unchanged customresourcedefinition.apiextensions.k8s.io/appprojects.argoproj.io unchanged serviceaccount/argocd-application-controller unchanged serviceaccount/argocd-applicationset-controller unchanged serviceaccount/argocd-dex-server unchanged serviceaccount/argocd-notifications-controller unchanged serviceaccount/argocd-redis unchanged serviceaccount/argocd-repo-server unchanged serviceaccount/argocd-server unchanged role.rbac.authorization.k8s.io/argocd-application-controller unchanged role.rbac.authorization.k8s.io/argocd-applicationset-controller unchanged role.rbac.authorization.k8s.io/argocd-dex-server unchanged role.rbac.authorization.k8s.io/argocd-notifications-controller unchanged role.rbac.authorization.k8s.io/argocd-server unchanged clusterrole.rbac.authorization.k8s.io/argocd-application-controller unchanged clusterrole.rbac.authorization.k8s.io/argocd-server unchanged rolebinding.rbac.authorization.k8s.io/argocd-application-controller unchanged rolebinding.rbac.authorization.k8s.io/argocd-applicationset-controller unchanged rolebinding.rbac.authorization.k8s.io/argocd-dex-server unchanged rolebinding.rbac.authorization.k8s.io/argocd-notifications-controller unchanged [root@master install_argocd]# vim new_install.yaml [root@master install_argocd]# vim new_install.yaml [root@master install_argocd]# kubectl apply -f new_install.yaml -n argocd customresourcedefinition.apiextensions.k8s.io/applications.argoproj.io unchanged customresourcedefinition.apiextensions.k8s.io/applicationsets.argoproj.io unchanged customresourcedefinition.apiextensions.k8s.io/appprojects.argoproj.io unchanged serviceaccount/argocd-application-controller unchanged serviceaccount/argocd-applicationset-controller unchanged serviceaccount/argocd-dex-server unchanged serviceaccount/argocd-notifications-controller unchanged serviceaccount/argocd-redis unchanged serviceaccount/argocd-repo-server unchanged serviceaccount/argocd-server unchanged role.rbac.authorization.k8s.io/argocd-application-controller unchanged role.rbac.authorization.k8s.io/argocd-applicationset-controller unchanged role.rbac.authorization.k8s.io/argocd-dex-server unchanged role.rbac.authorization.k8s.io/argocd-notifications-controller unchanged role.rbac.authorization.k8s.io/argocd-server unchanged clusterrole.rbac.authorization.k8s.io/argocd-application-controller unchanged clusterrole.rbac.authorization.k8s.io/argocd-server unchanged rolebinding.rbac.authorization.k8s.io/argocd-application-controller unchanged rolebinding.rbac.authorization.k8s.io/argocd-applicationset-controller unchanged rolebinding.rbac.authorization.k8s.io/argocd-dex-server unchanged rolebinding.rbac.authorization.k8s.io/argocd-notifications-controller unchanged rolebinding.rbac.authorization.k8s.io/argocd-redis unchanged rolebinding.rbac.authorization.k8s.io/argocd-server unchanged clusterrolebinding.rbac.authorization.k8s.io/argocd-application-controller unchanged clusterrolebinding.rbac.authorization.k8s.io/argocd-server unchanged configmap/argocd-cm unchanged configmap/argocd-cmd-params-cm unchanged configmap/argocd-gpg-keys-cm unchanged configmap/argocd-notifications-cm unchanged configmap/argocd-rbac-cm unchanged configmap/argocd-ssh-known-hosts-cm unchanged configmap/argocd-tls-certs-cm unchanged secret/argocd-notifications-secret unchanged secret/argocd-secret unchanged service/argocd-applicationset-controller unchanged service/argocd-dex-server unchanged service/argocd-metrics unchanged service/argocd-notifications-controller-metrics unchanged service/argocd-redis unchanged service/argocd-repo-server unchanged service/argocd-server unchanged service/argocd-server-metrics unchanged deployment.apps/argocd-applicationset-controller unchanged deployment.apps/argocd-dex-server unchanged deployment.apps/argocd-notifications-controller unchanged deployment.apps/argocd-redis unchanged deployment.apps/argocd-repo-server unchanged deployment.apps/argocd-server unchanged statefulset.apps/argocd-application-controller unchanged networkpolicy.networking.k8s.io/argocd-application-controller-network-policy configured networkpolicy.networking.k8s.io/argocd-dex-server-network-policy unchanged networkpolicy.networking.k8s.io/argocd-redis-network-policy unchanged networkpolicy.networking.k8s.io/argocd-repo-server-network-policy configured networkpolicy.networking.k8s.io/argocd-server-network-policy unchanged
本文来自博客园,作者:IT老登,转载请注明原文链接:https://www.cnblogs.com/nb-blog/p/17984651
