在写了第一篇文章(我巧妙地管理jsonnet和gitlab)之后的一段时间,我意识到管道固然很好,但是不必要的困难和不便。
在大多数情况下,需要执行典型任务:“生成YAML并将其放入Kubernetes中”。实际上,这就是Argo CD的出色表现。
Argo CD允许您连接Git存储库并将其状态同步到Kubernetes。默认情况下,支持多种类型的应用程序:Kustomize,Helm图表,Ksonnet,裸Jsonnet或仅包含YAML / JSON清单的目录。
对于大多数用户而言,此设置就足够了,但对每个用户而言都足够。为了满足每张Argo CD的需求,可以使用自定义工具。
首先,我对增加对qbec和git-crypt的支持的可能性感兴趣,这些在上一篇文章中已进行了充分讨论。
在继续进行配置之前,您必须首先了解Argo CD的工作方式。
对于每个添加的应用程序,它都有两个阶段:
- init — , : , .
- generate — , YAML stream, , .
, Argo , Helm. Argo CD Helm , .
Argo Helm-, .
QBEC
Qbec jsonnet, Helm-, Argo CD Helm-, Argo CD .
qbec argocd :
- Argo CD custom plugin .
- argocd-repo-server.
# cm.yaml
data:
configManagementPlugins: |
- name: qbec
generate:
command: [sh, -xc]
args: ['qbec show "$ENVIRONMENT" -S --force:k8s-namespace "$ARGOCD_APP_NAMESPACE"']
( init )
$ kubectl -n argocd patch cm/argocd-cm -p "$(cat cm.yaml)"
, init-:
# deploy.yaml
spec:
template:
spec:
# 1. Define an emptyDir volume which will hold the custom binaries
volumes:
- name: custom-tools
emptyDir: {}
# 2. Use an init container to download/copy custom binaries into the emptyDir
initContainers:
- name: download-tools
image: alpine:3.12
command: [sh, -c]
args:
- wget -qO- https://github.com/splunk/qbec/releases/download/v0.12.2/qbec-linux-amd64.tar.gz | tar -xvzf - -C /custom-tools/
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
# 3. Volume mount the custom binary to the bin directory (overriding the existing version)
containers:
- name: argocd-repo-server
volumeMounts:
- mountPath: /usr/local/bin/qbec
name: custom-tools
subPath: qbec
- mountPath: /usr/local/bin/jsonnet-qbec
name: custom-tools
subPath: jsonnet-qbec
$ kubectl -n argocd patch deploy/argocd-repo-server -p "$(cat deploy.yaml)"
:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: qbec-app
namespace: argocd
spec:
destination:
namespace: default
server: https://kubernetes.default.svc
project: default
source:
path: examples/test-app
targetRevision: fix-example
plugin:
env:
- name: ENVIRONMENT
value: dev
name: qbec
repoURL: https://github.com/kvaps/qbec
syncPolicy:
automated:
prune: true
ENVIRONMENT .
:
, !
git-crypt
Git-crypt . git.
git-crypt .
git-crypt unlock
init- custom-, , . Helm Jsonnet, GUI- (values- ).
, .
Argo CD - , -, git:
#!/bin/sh
$(dirname $0)/git.bin "$@"
ec=$?
[ "$1" = fetch ] && [ -d .git-crypt ] || exit $ec
GNUPGHOME=/app/config/gpg/keys git-crypt unlock 2>/dev/null
exit $ec
Argo CD git fetch
. git-crypt unlock
.
docker- :
$ kubectl -n argocd set image deploy/argocd-repo-server argocd-repo-server=docker.io/kvaps/argocd-git-crypt:v1.7.3
, Argo . gpg- :
$ kubectl exec -ti deploy/argocd-repo-server -- bash
$ printf "%s\n" \
"%no-protection" \
"Key-Type: default" \
"Subkey-Type: default" \
"Name-Real: YOUR NAME" \
"Name-Email: YOUR EMAIL@example.com" \
"Expire-Date: 0" \
> genkey-batch
$ gpg --batch --gen-key genkey-batch
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created
gpg: /home/argocd/.gnupg/trustdb.gpg: trustdb created
gpg: key 8CB8B24F50B4797D marked as ultimately trusted
gpg: directory '/home/argocd/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/argocd/.gnupg/openpgp-revocs.d/9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D.rev'
8CB8B24F50B4797D
. :
$ gpg --list-keys
gpg: WARNING: unsafe ownership on homedir '/home/argocd/.gnupg'
/home/argocd/.gnupg/pubring.kbx
-------------------------------
pub rsa3072 2020-09-04 [SC]
9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid [ultimate] YOUR NAME <YOUR EMAIL@example.com>
sub rsa3072 2020-09-04 [E]
$ gpg --armor --export-secret-keys 8CB8B24F50B4797D
:
# argocd-gpg-keys-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: argocd-gpg-keys-secret
namespace: argocd
stringData:
8CB8B24F50B4797D: |-
-----BEGIN PGP PRIVATE KEY BLOCK-----
lQVYBF9Q8KUBDACuS4p0ctXoakPLqE99YLmdixfF/QIvXVIG5uBXClWhWMuo+D0c
ZfeyC5GvH7XPUKz1cLMqL6o/u9oHJVUmrvN/g2Mnm365nTGw1M56AfATS9IBp0HH
O/fbfiH6aMWmPrW8XIA0icoOAdP+bPcBqM4HRo4ssbRS9y/i
=yj11
-----END PGP PRIVATE KEY BLOCK-----
$ kubectl apply -f argocd-gpg-keys-secret.yaml
, argocd-repo-server, deployment:
$ kubectl -n argocd edit deploy/argocd-repo-server
gpg-keys volume projected
, :
spec:
template:
spec:
volumes:
- name: gpg-keys
projected:
sources:
- secret:
name: argocd-gpg-keys-secret
- configMap:
name: argocd-gpg-keys-cm
Argo CD gpg- , .
:
$ kubectl -n argocd exec -ti deploy/argocd-repo-server -- bash
$ GNUPGHOME=/app/config/gpg/keys gpg --list-secret-keys
gpg: WARNING: unsafe ownership on homedir '/app/config/gpg/keys'
/app/config/gpg/keys/pubring.kbx
--------------------------------
sec rsa2048 2020-09-05 [SC] [expires: 2021-03-04]
ED6285A3B1A50B6F1D9C955E5E8B1B16D47FFC28
uid [ultimate] Anon Ymous (ArgoCD key signing key) <noreply@argoproj.io>
sec rsa3072 2020-09-03 [SC]
9A1FF8CAA917CE876E2562FC8CB8B24F50B4797D
uid [ultimate] YOUR NAME <YOUR EMAIL@example.com>
ssb rsa3072 2020-09-03 [E]
, ! Argo CD .
:
$ GNUPGHOME=/app/config/gpg/keys gpg --armor --export 8CB8B24F50B4797D > 8CB8B24F50B4797D.pem
$ gpg --import 8CB8B24F50B4797D.pem
:
$ gpg --edit-key 8CB8B24F50B4797D
trust
5
argo :
$ git-crypt add-gpg-user 8CB8B24F50B4797D
: